<?xml version="1.0" encoding="ISO-8859-7" standalone="no"?>
<!--
Ôï Åã÷åéñßäéï ôïõ FreeBSD: Firewalls
The FreeBSD Greek Documentation Project
$FreeBSD$
%SOURCE% en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
%SRCID% 39270
-->
<chapter id="firewalls">
<chapterinfo>
<authorgroup>
<author>
<firstname>Joseph J.</firstname>
<surname>Barbish</surname>
<contrib>ÓõíåéóöïñÜ ôïõ </contrib>
</author>
</authorgroup>
<authorgroup>
<author>
<firstname>Brad</firstname>
<surname>Davis</surname>
<contrib>ÌåôáôñÜðçêå óå SGML êáé áíáíåþèçêå áðü ôïí </contrib>
</author>
</authorgroup>
</chapterinfo>
<title>Firewalls</title>
<indexterm><primary>firewall</primary></indexterm>
<indexterm>
<primary>áóöÜëåéá</primary>
<secondary>firewalls</secondary>
</indexterm>
<sect1 id="firewalls-intro">
<title>Óýíïøç</title>
<para>Ôï firewall (ôåß÷ïò ðñïóôáóßáò) êáèéóôÜ äõíáôü ôï öéëôñÜñéóìá ôçò
åéóåñ÷üìåíçò êáé åîåñ÷üìåíçò êßíçóçò ðïõ äéÝñ÷åôáé áðü ôï óýóôçìá óáò.
¸íá firewall ìðïñåß íá ÷ñçóéìïðïéåß Ýíá Þ ðåñéóóüôåñá óåô
<quote>êáíüíùí</quote> ãéá íá åðéèåùñåß ôá ðáêÝôá êáôÜ ôçí åßóïäï Þ
Ýîïäï ôïõò áðü ìéá äéêôõáêÞ óýíäåóç, êáé íá ôá åðéôñÝðåé Þ íá ôá
áðïññßðôåé. Ïé êáíüíåò ôïõ firewall ìðïñïýí íá åëÝã÷ïõí Ýíá Þ
ðåñéóóüôåñá ÷áñáêôçñéóôéêÜ ôùí ðáêÝôùí, óõìðåñéëáìâáíïìÝíùí ìåôáîý Üëëùí
êáé ôïõ ôýðïõ ôïõ ðñùôïêüëëïõ, êáèþò êáé ôçí äéåýèõíóç Þ/êáé èýñá
(port) ôçò áöåôçñßáò Þ ôïõ ðñïïñéóìïý.</para>
<para>Ôá firewalls ìðïñïýí íá åíéó÷ýóïõí óçìáíôéêÜ ôçí áóöÜëåéá åíüò
êüìâïõ Þ åíüò äéêôýïõ. Ìðïñïýí íá ÷ñçóéìïðïéçèïýí ãéá ìßá Þ
ðåñéóóüôåñåò áðü ôéò áêüëïõèåò ëåéôïõñãßåò:</para>
<itemizedlist>
<listitem>
<para>Íá ðñïóôáôåýïõí êáé íá áðïìïíþíïõí ôéò åöáñìïãÝò, ôéò õðçñåóßåò
êáé ôá ìç÷áíÞìáôá ôïõ åóùôåñéêïý óáò äéêôýïõ áðü áíåðéèýìçôç êßíçóç
ðïõ ðñïÝñ÷åôáé áðü ôï Internet.</para>
</listitem>
<listitem>
<para>Íá ðåñéïñßæïõí Þ íá áðïêëåßïõí ôçí ðñüóâáóç ìç÷áíçìÜôùí ôïõ
åóùôåñéêïý äéêôýïõ óå õðçñåóßåò ôïõ Internet.</para>
</listitem>
<listitem>
<para>Íá õðïóôçñßæïõí ìåôÜöñáóç äéêôõáêþí äéåõèýíóåùí
(<acronym>NAT</acronym>), ç ïðïßá åðéôñÝðåé óôï åóùôåñéêü óáò
äßêôõï íá ÷ñçóéìïðïéåß éäéùôéêÝò <acronym>IP</acronym> äéåõèýíóåéò
êáé íá ìïéñÜæåôáé ìßá ìïíáäéêÞ óýíäåóç ìå ôï Internet (åßôå ìÝóù
ìßáò ìïíáäéêÞò äçìüóéáò <acronym>IP</acronym> äéåýèõíóçò, åßôå ìÝóù
åíüò ðëÞèïõò äçìïóßùí äéåõèýíóåùí ðïõ áíáôßèåíôáé áõôüìáôá).</para>
</listitem>
</itemizedlist>
<para>Áöïý äéáâÜóåôå áõôü ôï êåöÜëáéï, èá îÝñåôå:</para>
<itemizedlist>
<listitem>
<para>Ðùò íá äçìéïõñãÞóåôå óùóôïýò êáíüíåò öéëôñáñßóìáôïò
ðáêÝôùí.</para>
</listitem>
<listitem>
<para>Ôïõò äéÜöïñïõò ôýðïõò firewall ðïõ õðÜñ÷ïõí óôï &os; êáé ôéò
äéáöïñÝò ôïõò.</para>
</listitem>
<listitem>
<para>Ðùò íá ñõèìßóåôå êáé íá ÷ñçóéìïðïéÞóåôå ôï
<application>PF</application> firewall ôïõ OpenBSD.</para>
</listitem>
<listitem>
<para>Ðùò íá ñõèìßóåôå êáé íá ÷ñçóéìïðïéÞóåôå ôï
<application>IPFILTER</application>.</para>
</listitem>
<listitem>
<para>Ðùò íá ñõèìßóåôå êáé íá ÷ñçóéìïðïéÞóåôå ôï
<application>IPFW</application>.</para>
</listitem>
</itemizedlist>
<para>Ðñéí äéáâÜóåôå áõôü ôï êåöÜëáéï, èá ðñÝðåé:</para>
<itemizedlist>
<listitem>
<para>Íá êáôáíïåßôå âáóéêÝò áñ÷Ýò ôïõ &os; êáé ôïõ Internet.</para>
</listitem>
</itemizedlist>
</sect1>
<sect1 id="firewalls-concepts">
<title>ÂáóéêÝò ¸ííïéåò ôùí Firewalls</title>
<indexterm>
<primary>firewall</primary>
<secondary>rulesets</secondary>
</indexterm>
<para>ÕðÜñ÷ïõí äýï âáóéêïß ôñüðïé ãéá ôç äçìéïõñãßá êáíüíùí óå Ýíá
firewall: ï <quote>inclusive</quote> êáé ï <quote>exclusive</quote>.
¸íá exclusive firewall åðéôñÝðåé ôç äéÝëåõóç üëçò ôçò êßíçóçò, åêôüò
áðü áõôÞ ðïõ ôáéñéÜæåé ìå ôïõò êáíüíåò ôïõ. ¸íá inclusive firewall
êÜíåé ôï áíÜðïäï. ÅðéôñÝðåé ìüíï ôç äéÝëåõóç ôçò êßíçóçò ðïõ ôáéñéÜæåé
ìå ôïõò êáíüíåò ôïõ, êáé áðïêëåßåé ïôéäÞðïôå Üëëï.</para>
<para>Ôá inclusive firewalls ðñïóöÝñïõí ðïëý êáëýôåñï Ýëåã÷ï ôçò
åîåñ÷üìåíçò êßíçóçò êáé ãéá ôï ëüãï áõôü åßíáé êáëýôåñá ãéá óõóôÞìáôá
ðïõ ðñïóöÝñïõí õðçñåóßåò óôï äçìüóéï Internet. ÅëÝã÷ïõí åðßóçò êáé
ôá ðáêÝôá ðïõ ðñïÝñ÷ïíôáé áðü ôï äçìüóéï Internet ìå ðñïïñéóìü ôï
éäéùôéêü óáò äßêôõï. Áðü ðñïåðéëïãÞ, üëç ç êßíçóç ðïõ äåí ôáéñéÜæåé
ìå ôïõò êáíüíåò áðïññßðôåôáé êáé êáôáãñÜöåôáé. Ôá inclusive firewalls
åßíáé ãåíéêÜ áóöáëÝóôåñá áðü ôá exclusive, êáèþò ìåéþíïõí óçìáíôéêÜ
ôçí ðéèáíüôçôá äéÝëåõóçò áíåðéèýìçôçò êßíçóçò ìÝóá áðü áõôÜ.</para>
<note>
<para>Åêôüò êáé áí áíáöÝñåôáé äéáöïñåôéêÜ, üëá ôá ðáñáäåßãìáôá
ñõèìßóåùí êáé êáíüíùí ðïõ öáßíïíôáé óå áõôü ôï êåöÜëáéï, äçìéïõñãïýí
inclusive firewalls.</para>
</note>
<para>Ç áóöÜëåéá ìðïñåß íá ãßíåé áêüìá éó÷õñüôåñç ìå ôç ÷ñÞóç åíüò
<quote>stateful firewall</quote>. Áõôüò ï ôýðïò firewall áðïèçêåýåé
ôçí êáôÜóôáóç ôùí óõíäÝóåùí ðïõ ìåôáöÝñïõí äåäïìÝíá ìÝóá áðü áõôü, êáé
åðéôñÝðåé ìüíï ôçí êßíçóç ðïõ åßôå ôáéñéÜæåé ìå ìéá áðü ôéò õðÜñ÷ïõóåò
óõíäÝóåéò, Þ ðïõ îåêéíÜ ìéá íÝá óýíäåóç. Ôï ìåéïíÝêôçìá åíüò stateful
firewall åßíáé üôé ìðïñåß íá åßíáé åõÜëùôï óå åðéèÝóåéò Denial of
Service (¶ñíçóçò Õðçñåóßáò, <acronym>DoS</acronym>) áí äå÷èåß
ôáõôü÷ñïíá ðïëëÝò áéôÞóåéò ãéá Üíïéãìá íÝùí óõíäÝóåùí óå ìéêñü ÷ñïíéêü
äéÜóôçìá. Ìå ôá ðåñéóóüôåñá firewalls, åßíáé äõíáôüí íá ãßíåé
óõíäõáóìüò êáé ôùí äýï óõìðåñéöïñþí (ôüóï stateful üóï êáé ìç-stateful)
þóôå íá äçìéïõñãçèåß ôï âÝëôéóôï firewall ãéá ôçí óõãêåêñéìÝíç
÷ñÞóç.</para>
</sect1>
<sect1 id="firewalls-apps">
<title>ÐñïãñÜììáôá Firewall</title>
<para>Ôï &os; Ý÷åé ôñßá äéáöïñåôéêÜ ðñïãñÜììáôá firewall åíóùìáôùìÝíá óôï
âáóéêü óýóôçìá. Åßíáé ôá: <emphasis>IPFILTER</emphasis> (ãíùóôü åðßóçò
êáé ùò <acronym>IPF</acronym>), ôï <emphasis>IPFIREWALL</emphasis>
(ãíùóôü åðßóçò êáé ùò <acronym>IPFW</acronym>), êáé ôï
<emphasis>PacketFilter</emphasis> ôïõ <emphasis>OpenBSD</emphasis>
(ãíùóôü åðßóçò êáé ùò <acronym>PF</acronym>). Ôï &os; åíóùìáôþíåé
åðßóçò äýï ðñïãñÜììáôá ãéá äéáìüñöùóç êõêëïöïñßáò (traffic shaping,
Ýëåã÷ïò ôïõ äéáèÝóéìïõ åýñïõò æþíçò): ôï &man.altq.4; êáé ôï
&man.dummynet.4;. Ôï Dummynet åßíáé êáôÜ ðáñÜäïóç óôåíÜ óõíäåìÝíï ìå
ôï <acronym>IPFW</acronym>, êáé ôï <acronym>ALTQ</acronym> ìå ôï
<acronym>PF</acronym>. Ç äéáìüñöùóç êõêëïöïñßáò ãéá ôï IPFILTER ìðïñåß
ôç äåäïìÝíç óôéãìÞ íá ãßíåé ìå ôï IPFILTER ãéá ôï NAT êáé ôï
öéëôñÜñéóìá êáé ìå ôï <acronym>IPFW</acronym> óå óõíäõáóìü ìå ôï
&man.dummynet.4; <emphasis>Þ</emphasis> ÷ñçóéìïðïéþíôáò ôï
<acronym>PF</acronym> óå óõíäõáóìü ìå ôï <acronym>ALTQ</acronym>.
Ôüóï ôï IPFW üóï êáé ôï PF ÷ñçóéìïðïéïýí êáíüíåò ãéá íá åëÝãîïõí ôçí
êßíçóç ôùí ðáêÝôùí áðü êáé ðñïò ôï óýóôçìÜ óáò, áí êáé äéáèÝôïõí
äéáöïñåôéêïýò ôñüðïõò ãéá íá ôï åðéôý÷ïõí, êáé ïé êáíüíåò ôïõò
÷ñçóéìïðïéïýí äéáöïñåôéêÞ óýíôáîç.</para>
<para>Ï ëüãïò ãéá ôïí ïðïßï ôï &os; äéáèÝôåé ðïëëáðëÜ firewall, åßíáé üôé
äéáöïñåôéêïß Üíèñùðïé Ý÷ïõí äéáöïñåôéêÝò áíÜãêåò êáé ðñïôéìÞóåéò. Äåí
õðÜñ÷åé Ýíá êáé ìïíáäéêü firewall ðïõ íá åßíáé ôï êáëýôåñï.</para>
<para>Ï óõããñáöÝáò ðñïôéìÜ ôï IPFILTER, êáèþò ïé êáíüíåò ôýðïõ stateful
ðïõ äéáèÝôåé åßíáé ëéãüôåñï ðïëýðëïêïé üôáí ÷ñçóéìïðïéïýíôáé óå Ýíá
ðåñéâÜëëïí <acronym>NAT</acronym>, åíþ äéáèÝôåé êáé åíóùìáôùìÝíï ftp
proxy ôï ïðïßï ôïõò áðëïðïéåß áêüìá ðåñéóóüôåñï, åðéôñÝðïíôáò áóöáëÞ
óýíäåóç óå åîùôåñéêïýò åîõðçñåôçôÝò FTP.</para>
<para>Êáèþò üëá ôá firewall âáóßæïíôáé óôçí åðéèåþñçóç ôéìþí åëÝã÷ïõ ôùí
ðáêÝôùí, ï äéá÷åéñéóôÞò ðïõ ðñüêåéôáé íá äçìéïõñãÞóåé ôïõò êáíüíåò
ðñÝðåé íá êáôáíïåß ôïí ôñüðï ëåéôïõñãßáò ôïõ <acronym>TCP/IP</acronym>,
ôï ñüëï ôùí äéáöüñùí ôéìþí óôá ðåäßá åëÝã÷ïõ ôùí ðáêÝôùí êáé ðùò
÷ñçóéìïðïéïýíôáé óôçí áíôáëëáãÞ ðëçñïöïñéþí óå ìéá óõíçèéóìÝíç
óõíåäñßá. Ãéá ðåñéóóüôåñåò ëåðôïìÝñåéåò, äéáâÜóôå ôï <ulink
url="http://www.ipprimer.com/overview.cfm"></ulink>.</para>
</sect1>
<sect1 id="firewalls-pf">
<sect1info>
<authorgroup>
<author>
<firstname>John</firstname>
<surname>Ferrell</surname>
<contrib>ÁíáèåùñÞèçêå êáé åíçìåñþèçêå áðü ôïí </contrib>
<!-- 24 March 2008 -->
</author>
</authorgroup>
</sect1info>
<title>Ôï Packet Filter (PF) êáé ôï <acronym>ALTQ</acronym> ôïõ
OpenBSD</title>
<indexterm>
<primary>firewall</primary>
<secondary>PF</secondary>
</indexterm>
<para>Ôïí Éïýëéï ôïõ 2003, ç åöáñìïãÞ firewall ôïõ OpenBSD (ãíùóôÞ ùò
<acronym>PF</acronym>) ìåôáöÝñèçêå óôï &os; êáé Ýãéíå äéáèÝóéìç óôçí
ÓõëëïãÞ ôùí Ports. Ôï &os; 5.3 ðïõ êõêëïöüñçóå ôï 2004, Þôáí ç
ðñþôç åðßóçìç Ýêäïóç ç ïðïßá ðåñéåß÷å ôï <acronym>PF</acronym> ùò
ôìÞìá ôïõ âáóéêïý ðëÝïí óõóôÞìáôïò. Ôï <acronym>PF</acronym> åßíáé
Ýíá ïëïêëçñùìÝíï firewall, ìå ðëÞèïò ÷áñáêôçñéóôéêþí, ôï ïðïßï åðßóçò
äéáèÝôåé ðñïáéñåôéêÜ õðïóôÞñéîç ãéá ôï <acronym>ALTQ</acronym>
(Alternate Queuing). Ôï <acronym>ALTQ</acronym> ðñïóöÝñåé õðçñåóßåò
ÄéáóöÜëéóçò Ðïéüôçôáò (Quality of Service,
<acronym>QoS</acronym>).</para>
<para>Ôï OpenBSD Project êÜíåé åîáéñåôéêÞ äïõëåéÜ óôç óõíôÞñçóç ôïõ
<ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>. Ãéá ôï
ëüãï áõôü, ç ðáñïýóá åíüôçôá ôïõ Åã÷åéñéäßïõ åóôéÜæåé êõñßùò óôéò
éäéáéôåñüôçôåò ôïõ <acronym>PF</acronym> üóï áöïñÜ ôï &os;, åíþ ðáñÝ÷åé
êáé ìåñéêÝò ãåíéêÝò ðëçñïöïñßåò ó÷åôéêÜ ìå ôç ÷ñÞóç ôïõ. Ãéá ðéï
ëåðôïìåñåßò ðëçñïöïñßåò ó÷åôéêÜ ìå ôç ÷ñÞóç ôïõ <acronym>PF</acronym>,
ðáñáêáëïýìå äéáâÜóôå ôï <ulink
url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.</para>
<para>Ðåñéóóüôåñåò ðëçñïöïñßåò ó÷åôéêÜ ìå ôï <acronym>PF</acronym> óôï
&os; ìðïñåßôå íá âñåßôå óôï <ulink
url="http://pf4freebsd.love2party.net/"></ulink>.</para>
<sect2>
<title>×ñçóéìïðïéþíôáò ôá Áñèñþìáôá ÐõñÞíá ãéá ôï PF</title>
<para>Ãéá íá öïñôþóåôå ôï Üñèñùìá ðõñÞíá ãéá ôï PF, ðñïóèÝóôå ôçí
ðáñáêÜôù ãñáììÞ óôï óôï <filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting>
<para>ÅêôåëÝóôå Ýðåéôá ôï script åêêßíçóçò ãéá íá öïñôþóåôå ôï
Üñèñùìá:</para>
<screen>&prompt.root; <userinput>/etc/rc.d/pf start</userinput></screen>
<para>Óçìåéþóôå üôé ôï Üñèñùìá PF äåí ðñüêåéôáé íá öïñôùèåß áí äåí
âñåé ôï êáèïñéóìÝíï áñ÷åßï êáíüíùí. Ôï ðñïåðéëåãìÝíï áñ÷åßï åßíáé
ôï <filename>/etc/pf.conf</filename>. Áí ôï áñ÷åßï êáíüíùí âñßóêåôáé
óå êÜðïéá Üëëç ôïðïèåóßá, ìðïñåßôå íá ôçí êáèïñßóåôå ðñïóèÝôïíôáò
ìéá ãñáììÞ üðùò ôçí ðáñáêÜôù óôï
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>Ìðïñåßôå íá âñåßôå Ýíá ðáñÜäåéãìá ôïõ áñ÷åßïõ
<filename>pf.conf</filename> óôïí êáôÜëïãï <filename
class="directory">/usr/share/examples/pf</filename></para>
<para>Ôï Üñèñùìá <acronym>PF</acronym> ìðïñåß åðßóçò íá öïñôùèåß
÷åéñïêßíçôá áðü ôçí ãñáììÞ åíôïëþí:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
<para>Ç õðïóôÞñéîçò êáôáãñáöÞò ôïõ PF ðáñÝ÷åôáé áðü ôï Üñèñùìá
<literal>pflog.ko</literal> êáé ìðïñåßôå íá ôçí öïñôþóåôå
ðñïóèÝôïíôáò ôçí ðáñáêÜôù ãñáììÞ óôï
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pflog_enable="YES"</programlisting>
<para>ÅêôåëÝóôå Ýðåéôá ôï script åêêßíçóçò ãéá íá öïñôþóåôå ôï
Üñèñùìá:</para>
<screen>&prompt.root; <userinput>/etc/rc.d/pflog start</userinput></screen>
<para>Áí ÷ñåéÜæåóôå êÜðïéï áðü ôá ðñï÷ùñçìÝíá ÷áñáêôçñéóôéêÜ ôïõ
<acronym>PF</acronym>, èá ðñÝðåé íá ìåôáãëùôôßóåôå ôçí õðïóôÞñéîç
ãéá ôï <acronym>PF</acronym> áðåõèåßáò ìÝóá óôïí ðõñÞíá.</para>
</sect2>
<sect2>
<title>ÅðéëïãÝò ôïõ PF ãéá ôïí ÐõñÞíá</title>
<indexterm>
<primary>kernel options</primary>
<secondary>device pf</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>device pflog</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>device pfsync</secondary>
</indexterm>
<para>Áí êáé äåí åßíáé áðáñáßôçôï íá ìåôáãëùôôßóåôå ôçí õðïóôÞñéîç
<acronym>PF</acronym> ìÝóá óôïí ðõñÞíá ôïõ &os;, ßóùò íá èÝëåôå íá
÷ñçóéìïðïéÞóåôå Ýíá áðü ôá ðñï÷ùñçìÝíá ÷áñáêôçñéóôéêÜ ôïõ PF ôï
ïðïßï äåí ðåñéëáìâÜíåôáé óôï Üñèñùìá ôïõ ðõñÞíá: ôï &man.pfsync.4;.
Ðñüêåéôáé ãéá ìéá øåõäï-óõóêåõÞ ç ïðïßá áðïêáëýðôåé óõãêåêñéìÝíåò
áëëáãÝò óôïí ðßíáêá êáôáóôÜóåùí ðïõ ÷ñçóéìïðïéåßôáé áðü ôï
<acronym>PF</acronym>. Ìðïñåß íá óõíäõáóôåß ìå ôï &man.carp.4; ãéá
íá äçìéïõñãçèïýí ìå ôï <acronym>PF</acronym> firewalls ìå äõíáôüôçôá
áõôüìáôçò áëëáãÞò óå ðåñßðôùóç áðïôõ÷ßáò (failover). Ðåñéóóüôåñåò
ðëçñïöïñßåò ó÷åôéêÜ ìå ôï <acronym>CARP</acronym> ìðïñåßôå íá âñåßôå
óôï <xref linkend="carp"/> ôïõ Åã÷åéñéäßïõ.</para>
<para>Ìðïñåßôå íá äåßôå üëåò ôéò åðéëïãÝò ðõñÞíá ãéá ôï
<acronym>PF</acronym> óôï áñ÷åßï
<filename>/usr/src/sys/conf/NOTES</filename>. Ïé åðéëïãÝò öáßíïíôáé
åðßóçò ðáñáêÜôù:</para>
<programlisting>device pf
device pflog
device pfsync</programlisting>
<para>Ç åðéëïãÞ <literal>device pf</literal> åíåñãïðïéåß ôçí õðïóôÞñéîç
ãéá ôï firewall <quote>Packet Filter</quote> (&man.pf.4;).</para>
<para>Ç åðéëïãÞ <literal>device pflog</literal> åíåñãïðïéåß ôçí
ðñïáéñåôéêÞ øåõäï-äéêôõáêÞ óõóêåõÞ &man.pflog.4; ðïõ ìðïñåß íá
÷ñçóéìïðïéçèåß ãéá ôçí êáôáãñáöÞ ôçò êßíçóçò óå Ýíá &man.bpf.4;
descriptor. Ï äáßìïíáò &man.pflogd.8; ìðïñåß íá áðïèçêåýóåé ôçí
êáôáãñáöÞ áõôÞ óôï óêëçñü äßóêï.</para>
<para>Ç åðéëïãÞ <literal>device pfsync</literal> åíåñãïðïéåß ôçí
ðñïáéñåôéêÞ øåõäü-äéêôõáêÞ óõóêåõÞ &man.pfsync.4; ç ïðïßá
÷ñçóéìïðïéåßôáé ãéá íá áíé÷íåýåé
<quote>áëëáãÝò êáôÜóôáóçò</quote>.</para>
</sect2>
<sect2>
<title>ÅðéëïãÝò óôï <filename>rc.conf</filename></title>
<para>Ôï <acronym>PF</acronym> êáé ôï &man.pflog.4; ìðïñïýí íá
ñõèìéóôïýí êáôÜ ôçí åêêßíçóç ìå ôéò ðáñáêÜôù êáôá÷ùñßóåéò óôï
&man.rc.conf.5;:</para>
<programlisting>pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup</programlisting>
<para>Áí ðßóù áðü áõôü ôï firewall õðÜñ÷åé êÜðïéï ôïðéêü äßêôõï (LAN)
ðñïò ôï ïðïßï åðéèõìåßôå íá ðñïùèÞóåôå ðáêÝôá, Þ áí èÝëåôå íá
÷ñçóéìïðïéÞóåôå NAT, èá ÷ñåéáóôåßôå åðßóçò êáé ôçí ðáñáêÜôù
åðéëïãÞ:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
</sect2>
<sect2>
<title>Äçìéïõñãßá Êáíüíùí Öéëôñáñßóìáôïò</title>
<para>Ôï <acronym>PF</acronym> äéáâÜæåé ôéò ñõèìßóåéò ôïõ áðü ôï
&man.pf.conf.5; (ç ðñïåðéëåãìÝíç ôïðïèåóßá åßíáé óôï
<filename>/etc/pf.conf</filename>) êáé ôñïðïðïéåß, áðïññßðôåé Þ
áðïäÝ÷åôáé ðáêÝôá óýìöùíá ìå ôïõò êáíüíåò êáé ôïõò ïñéóìïýò ðïõ
ðåñéÝ÷ïíôáé óå áõôü. Ç åãêáôÜóôáóç ôïõ &os; ðåñéëáìâÜíåé áñêåôÜ
õðïäåßãìáôá áñ÷åßùí ñýèìéóçò, óôçí ôïðïèåóßá
<filename>/usr/share/examples/pf/</filename>. Ðáñáêáëïýìå íá
äéáâÜóåôå ôï <ulink
url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> ãéá ðëÞñç
áíÜëõóç ôùí êáíüíùí ôïõ <acronym>PF</acronym>.</para>
<warning>
<para>Êáèþò äéáâÜæåôå ôï <ulink
url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
íá Ý÷åôå õðüøç óáò üôé äéáöïñåôéêÝò åêäüóåéò ôïõ &os; ðåñéÝ÷ïõí
äéáöïñåôéêÝò åêäüóåéò ôïõ PF. Ôç äåäïìÝíç óôéãìÞ, ôï
&os; 8.<replaceable>X</replaceable> êáé ïé ðñïçãïýìåíåò
åêäüóåéò ÷ñçóéìïðïéïýí ôçí ßäéá Ýêäïóç ôïõ <acronym>PF</acronym>
ðïõ ÷ñçóéìïðïéåß êáé ôï OpenBSD 4.1.
Ôï &os; 9.<replaceable>X</replaceable> êáé íåþôåñåò
åêäüóåéò ÷ñçóéìïðïéïýí ôçí ßäéá Ýêäïóç ôïõ
<acronym>PF</acronym> ìå ôï OpenBSD 4.5.</para>
</warning>
<para>Ç &a.pf; åßíáé Ýíá êáëü ìÝñïò ãéá íá êÜíåôå åñùôÞóåéò
ó÷åôéêÝò ìå ôç ñýèìéóç êáé ôç ëåéôïõñãßá ôïõ <acronym>PF</acronym>
firewall. Ìç îå÷Üóåôå íá åëÝãîåôå ôá áñ÷åßá ôçò ëßóôáò ðñéí
îåêéíÞóåôå ôéò åñùôÞóåéò!</para>
</sect2>
<sect2>
<title>Äïõëåýïíôáò ìå ôï PF</title>
<para>×ñçóéìïðïéÞóôå ôï &man.pfctl.8; ãéá íá åëÝãîåôå ôï
<acronym>PF</acronym>. ÐáñáêÜôù èá âñåßôå êÜðïéåò ÷ñÞóéìåò åíôïëÝò
(âåâáéùèåßôå üôé Ý÷åôå äéáâÜóåé ôç óåëßäá manual ôïõ &man.pfctl.8; ãéá
íá äåßôå üëåò ôéò äéáèÝóéìåò åðéëïãÝò):</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
<thead>
<row>
<entry>ÅíôïëÞ</entry>
<entry>Óêïðüò</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>pfctl <option>-e</option></command></entry>
<entry>Åíåñãïðïßçóç ôïõ PF</entry>
</row>
<row>
<entry><command>pfctl <option>-d</option></command></entry>
<entry>Áðåíåñãïðïßçóç ôïõ PF</entry>
</row>
<row>
<entry><command>pfctl <option>-F</option> all <option>-f</option> /etc/pf.conf</command></entry>
<entry>ÄéáãñáöÞ üëùí ôùí êáíüíùí (nat, filter, state, table,
ê.ë.ð.) êáé åê íÝïõ áíÜãíùóç áðü ôï áñ÷åßï
<filename>/etc/pf.conf</filename></entry>
</row>
<row>
<entry><command>pfctl <option>-s</option> [ rules | nat | state ]</command></entry>
<entry>Åêôýðùóç áíáöïñÜò ó÷åôéêÜ ìå ôïõò êáíüíåò ôïõ ößëôñïõ,
ôïõ NAT, Þ ôïõ ðßíáêá êáôÜóôáóçò</entry>
</row>
<row>
<entry><command>pfctl <option>-vnf</option> /etc/pf.conf</command></entry>
<entry>ÅëÝã÷åé ôï <filename>/etc/pf.conf</filename> ãéá ëÜèç,
áëëÜ äåí öïñôþíåé ôïõò êáíüíåò</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</sect2>
<sect2>
<title>Åíåñãïðïßçóç ôïõ <acronym>ALTQ</acronym></title>
<para>Ôï <acronym>ALTQ</acronym> äéáôßèåôáé ìüíï áí ìåôáãëùôôßóåôå
áðåõèåßáò ôçí õðïóôÞñéîç ôïõ ìÝóá óôïí ðõñÞíá ôïõ &os;.
Ôï <acronym>ALTQ</acronym> äåí õðïóôçñßæåôáé áðü üëá ôá ðñïãñÜììáôá
ïäÞãçóçò êáñôþí äéêôýïõ. Ðáñáêáëïýìå äåßôå ôç óåëßäá manual ôïõ
&man.altq.4; ãéá ôç ëßóôá ôùí ïäçãþí ðïõ õðïóôçñßæïíôáé óôçí Ýêäïóç
ôïõ &os; ðïõ äéáèÝôåôå.</para>
<para>Ïé ðáñáêÜôù åðéëïãÝò ôïõ ðõñÞíá åíåñãïðïéïýí ôï
<acronym>ALTQ</acronym> êáé ðáñÝ÷ïõí åðéðñüóèåôåò ëåéôïõñãßåò:</para>
<programlisting>options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build</programlisting>
<para>Ç ãñáììÞ <literal>options ALTQ</literal> åíåñãïðïéåß ôï ðëáßóéï
ëåéôïõñãéþí <acronym>ALTQ</acronym>.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_CBQ</literal> åíåñãïðïéåß ôï
<emphasis>Class Based Queuing</emphasis> (<acronym>CBQ</acronym>).
Ôï <acronym>CBQ</acronym> óáò åðéôñÝðåé íá ÷ùñßóåôå ôï åýñïò æþíçò
ìéáò óýíäåóçò óå äéáöïñåôéêÝò êëÜóåéò Þ ïõñÝò, þóôå íá äßíïíôáé
ðñïôåñáéüôçôåò óôçí êßíçóç áíÜëïãá ìå ôïõò êáíüíåò ôïõ ößëôñïõ.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_RED</literal> åíåñãïðïéåß ôï
<emphasis>Random Early Detection</emphasis> (<acronym>RED</acronym>).
Ôï <acronym>RED</acronym> ÷ñçóéìïðïéåßôáé ãéá íá áðïöåõ÷èåß ç
óõìöüñçóç ôïõ äéêôýïõ. Ãéá ôï óêïðü áõôü, ôï <acronym>RED</acronym>
ìåôñÜåé ôï ìÞêïò ôçò ïõñÜò êáé ôï óõãêñßíåé ìå ôï ìÝãéóôï êáé
åëÜ÷éóôï üñéï ôçò. Áí ç ïõñÜ åßíáé ðÜíù áðü ôï ìÝãéóôï, üëá
ôá íÝá ðáêÝôá èá áðïññßðôïíôáé. Óýìöùíá êáé ìå ôï üíïìá ôïõ, ôï
<acronym>RED</acronym> áðïññßðôåé ðáêÝôá áðü äéÜöïñåò óõíäÝóåéò ìå
ôõ÷áßï ôñüðï.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_RIO</literal> åíåñãïðïéåß ôï
<emphasis>Random Early Detection In and Out</emphasis>.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_HFSC</literal> åíåñãïðïéåß ôï
<emphasis>Hierarchical Fair Service Curve Packet Scheduler</emphasis>.
Ãéá ðåñéóóüôåñåò ðëçñïöïñßåò ó÷åôéêÜ ìå ôï <acronym>HFSC</acronym>
äåßôå: <ulink
url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_PRIQ</literal> åíåñãïðïéåß ôï
<emphasis>Priority Queuing</emphasis> (<acronym>PRIQ</acronym>).
Ôï <acronym>PRIQ</acronym> ðÜíôïôå ðåñíÜåé ðñþôá ôçí êßíçóç ìå ôç
ìåãáëýôåñç ðñïôåñáéüôçôá.</para>
<para>Ç ãñáììÞ <literal>options ALTQ_NOPCC</literal> åíåñãïðïéåß ôçí
õðïóôÞñéîç <acronym>SMP</acronym> ãéá ôï <acronym>ALTQ</acronym>.
Ç åðéëïãÞ áõôÞ áðáéôåßôáé óå óõóôÞìáôá <acronym>SMP</acronym>.</para>
</sect2>
</sect1>
<sect1 id="firewalls-ipf">
<title>Ôï IPFILTER (IPF) Firewall</title>
<indexterm>
<primary>firewall</primary>
<secondary>IPFILTER</secondary>
</indexterm>
<para>Ï óõããñáöÝáò ôïõ IPFILTER åßíáé ï Darren Reed. Ôï IPFILTER äåí
åîáñôÜôáé áðü ôï ëåéôïõñãéêü óýóôçìá: åßíáé ìéá åöáñìïãÞ áíïéêôïý
êþäéêá ðïõ Ý÷åé ìåôáöåñèåß óôï &os;, ôï NetBSD, ôï OpenBSD, ôï
&sunos;, ôï HP/UX êáé ôï &solaris;. Ôï IPFILTER åßíáé õðü äéáñêÞ
êáé åíåñãÞ áíÜðôõîç êáé óõíôÞñçóç, êáé êõêëïöïñïýí ôáêôéêÜ ïé íÝåò
åêäüóåéò ôïõ.</para>
<para>Ôï IPFILTER åßíáé Ýíá firewall êáé ìç÷áíéóìüò
<acronym>NAT</acronym> ðïõ ëåéôïõñãåß óôïí ðõñÞíá êáé ìðïñåß íá
åëÝã÷åôáé êáé íá ðáñáêïëïõèåßôáé áðü ðñïãñÜììáôá ÷ñÞóôç. Ïé êáíüíåò
ôïõ firewall ìðïñïýí íá ôßèåíôáé óå éó÷ý Þ íá äéáãñÜöïíôáé ìÝóù ôïõ
âïçèçôéêïý ðñïãñÜììáôïò &man.ipf.8;. Ïé êáíüíåò ãéá ôï
<acronym>NAT</acronym> ìðïñïýí íá ôßèåíôáé óå éó÷ý Þ íá äéáãñÜöïíôáé
ìÝóù ôïõ âïçèçôéêïý ðñïãñÜììáôïò &man.ipnat.1;. Ôï âïçèçôéêü ðñüãñáììá
&man.ipfstat.8; ìðïñåß íá åêôõðþóåé óôáôéóôéêÜ åêôÝëåóçò ãéá ôï ôìÞìá
ôïõ IPFILTER ðïõ åêôåëåßôáé óôïí ðõñÞíá. Ôï ðñüãñáììá &man.ipmon.8;
ìðïñåß íá êáôáãñÜøåé ôéò åíÝñãåéåò ôïõ IPFILTER óôï áñ÷åßá êáôáãñáöÞò
óõìâÜíôùí ôïõ óõóôÞìáôïò.</para>
<para>Ôï IPF ãñÜöçêå áñ÷éêÜ ÷ñçóéìïðïéþíôáò ìéá ëïãéêÞ åðåîåñãáóßáò
êáíüíùí ôïõ ôýðïõ <quote>ï ôåëåõôáßï êáíüíáò ðïõ ôáéñéÜæåé, åßíáé êáé
ï íéêçôÞò</quote> êáé ÷ñçóéìïðïéïýóå ìüíï êáíüíåò ôýðïõ stateless.
Ìå ôçí ðÜñïäï ôïõ ÷ñüíïõ, ôï IPF âåëôéþèçêå ãéá íá ðåñéëáìâÜíåé ôçí
åðéëïãÞ <quote>quick</quote> êáé ôçí åðéëïãÞ <quote>keep state</quote>
ãéá stateful êáíüíåò. Ïé åðéëïãÝò áõôÝò åêóõã÷ñüíéóáí äñáìáôéêÜ ôç
ëïãéêÞ åðåîåñãáóßáò ôùí êáíüíùí. Ç åðßóçìç ôåêìçñßùóç ôïõ IPF êáëýðôåé
ìüíï ôéò ðáëéÝò ðáñáìÝôñïõò ñýèìéóçò êáé åðåîåñãáóßáò ôùí êáíüíùí.
Ïé óýã÷ñïíåò ëåéôïõñãßåò êáëýðôïíôáé ìüíï ùò ðñüóèåôåò åðéëïãÝò, êáé
Ýôóé äåí ôïíßæïíôáé áñêåôÜ ôá ðëåïíåêôÞìáôá ôïõò óôç äçìéïõñãßá åíüò
ðïëý êáëýôåñïõ êáé áóöáëÝóôåñïõ firewall.</para>
<para>Ïé ïäçãßåò ðïõ ðåñéÝ÷ïíôáé óå áõôÞ ôçí åíüôçôá, âáóßæïíôáé óôç
÷ñÞóç êáíüíùí ðïõ ðåñéÝ÷ïõí ôçí åðéëïãÞ <quote>quick</quote> êáèþò êáé
ôçí stateful åðéëïãÞ <quote>keep state</quote>. Áõôü åßíáé êáé ôï
âáóéêü ðëáßóéï ëåéôïõñãéþí ãéá ôçí äçìéïõñãßá ôïõ óåô êáíüíùí åíüò
inclusive firewall.</para>
<para>Ãéá ëåðôïìÝñåéåò ó÷åôéêÜ ìå ôïí ðáëéüôåñï ôñüðï åðåîåñãáóßáò ôùí
êáíüíùí, äåßôå: <ulink
url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
êáé <ulink
url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
<para>Ìðïñåßôå íá äåßôå ôï IPF FAQ óôçí ôïðïèåóßá <ulink
url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
<para>Ìðïñåßôå íá âñåßôå ôéò ðáëáéüôåñåò äçìïóéåýóåéò ôéò ëßóôáò
ôá÷õäñïìåßïõ ôïõ IPFILTER óôï <ulink
url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>. ÐáñÝ÷åôáé
äõíáôüôçôá áíáæÞôçóçò.</para>
<sect2>
<title>Åíåñãïðïéþíôáò ôï IPF</title>
<indexterm>
<primary>IPFILTER</primary>
<secondary>enabling</secondary>
</indexterm>
<para>Ôï IPF ðåñéëáìâÜíåôáé óôç âáóéêÞ åãêáôÜóôáóç ôïõ &os; ùò Üñèñùìá
ôï ïðïßï ìðïñåß íá öïñôùèåß ÷ùñéóôÜ. Ôï óýóôçìá èá öïñôþóåé äõíáìéêÜ
ôï Üñèñùìá ôïõ IPF áí õðÜñ÷åé ç êáôá÷þñéóç
<literal>ipfilter_enable="YES"</literal> óôï áñ÷åßï
<filename>/etc/rc.conf</filename>. Ôï Üñèñùìá Ý÷åé äçìéïõñãçèåß ìå
åíåñãïðïéçìÝíç ôçí äõíáôüôçôá êáôáãñáöÞò êáé ìå ôçí åðéëïãÞ
<literal>default pass all</literal>. Ãéá íá áëëÜîåôå áõôÞ ôçí
ðñïåðéëïãÞ óå <literal>block all</literal>, ìðïñåßôå áðëþò íá
ðñïóèÝóåôå ôïí êáíüíá áðüññéøçò (block all) óôï ôÝëïò ôùí êáíüíùí óáò.
Äåí ÷ñåéÜæåôáé íá ìåôáãëùôôßóåôå ôçí åðéëïãÞ IPF óôï ðõñÞíá ôïõ &os;
ãéá ôï óêïðü áõôü.</para>
</sect2>
<sect2>
<title>ÅðéëïãÝò ãéá ôïí ÐõñÞíá</title>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFILTER</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFILTER_LOG</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFILTER_DEFAULT_BLOCK</secondary>
</indexterm>
<indexterm>
<primary>IPFILTER</primary>
<secondary>kernel options</secondary>
</indexterm>
<para>Äåí åßíáé õðï÷ñåùôéêü íá ìåôáãëùôôßóåôå ôéò ðáñáêÜôù åðéëïãÝò óôïí
ðõñÞíá ôïõ &os; ãéá íá åíåñãïðïéÞóåôå ôï IPF. Ç ðáñïõóßáóç ôïõò åäþ
åßíáé êáèáñÜ åíçìåñùôéêÞ. Áí ìåôáãëùôôßóåôå ôï IPF áðåõèåßáò
óôïí ðõñÞíá, äåí èá ÷ñçóéìïðïéçèåß ðïôÝ ôï áíôßóôïé÷ï Üñèñùìá.</para>
<para>Óôï áñ÷åßï <filename>/usr/src/sys/conf/NOTES</filename> èá âñåßôå
ðáñáäåßãìáôá êáôá÷ùñßóåùí IPF ãéá ôï áñ÷åßï ñýèìéóçò ôïõ ðõñÞíá. Ïé
åðéëïãÝò áõôÝò öáßíïíôáé åðßóçò ðáñáêÜôù:</para>
<programlisting>options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK</programlisting>
<para>Ç åðéëïãÞ <literal>options IPFILTER</literal> åíåñãïðïéåß ôçí
õðïóôÞñéîç ãéá ôï <quote>IPFILTER</quote> firewall.</para>
<para>Ç åðéëïãÞ <literal>options IPFILTER_LOG</literal> åíåñãïðïéåß ôçí
õðïóôÞñéîç êáôáãñáöÞò ôïõ IPF, ç ïðïßá ãñÜöåé óôçí øåõäï-óõóêåõÞ
êáôáãñáöÞò ðáêÝôùí <devicename>ipl</devicename> ãéá êÜèå êáíüíá ðïõ
ðåñéëáìâÜíåé ôçí åðéëïãÞ <literal>log</literal>.</para>
<para>Ç åðéëïãÞ <literal>options IPFILTER_DEFAULT_BLOCK</literal>
áëëÜæåé ôçí ðñïåðéëåãìÝíç óõìðåñéöïñÜ, þóôå êÜèå ðáêÝôï ðïõ äåí
ôáéñéÜæåé ìå êÜðïéï êáíüíá <literal>pass</literal> ôïõ firewall,
íá áðïññßðôåôáé áõôüìáôá.</para>
<para>Ïé ðáñáðÜíù åðéëïãÝò èá åíåñãïðïéçèïýí ìüíï áöïý ìåôáãëùôôßóåôå
êáé åãêáôáóôÞóåôå Ýíá ðñïóáñìïóìÝíï ðõñÞíá ðïõ íá ôéò
ðåñéëáìâÜíåé.</para>
</sect2>
<sect2>
<title>ÄéáèÝóéìåò ÅðéëïãÝò ãéá ôï <filename>rc.conf</filename></title>
<para>×ñåéÜæåóôå ôéò ðáñáêÜôù êáôá÷ùñßóåéò óôï
<filename>/etc/rc.conf</filename> ãéá íá åíåñãïðïéÞóåôå ôï IPF êáôÜ
ôçí åêêßíçóç ôïõ õðïëïãéóôÞ:</para>
<programlisting>ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
ipmon_enable="YES" # Start IP monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to names</programlisting>
<para>Áí ðßóù áðü áõôü ôï firewall õðÜñ÷åé êÜðïéï LAN ðïõ ÷ñçóéìïðïéåß
äåóìåõìÝíåò éäéùôéêÝò äéåõèýíóåéò, èá ÷ñåéáóôåß íá ðñïóèÝóåôå ôéò
ðáñáêÜôù êáôá÷ùñßóåéò ãéá íá åíåñãïðïéÞóåôå ôç ëåéôïõñãßá
<acronym>NAT</acronym>:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
</sect2>
<sect2>
<title>IPF</title>
<indexterm><primary><command>ipf</command></primary></indexterm>
<para>Ç åíôïëÞ &man.ipf.8; ÷ñçóéìïðïéåßôáé ãéá íá öïñôþóåé ôï áñ÷åßï
ôùí êáíüíùí. ÖõóéïëïãéêÜ, èá äçìéïõñãÞóåôå Ýíá áñ÷åßï ìå ôïõò äéêïýò
óáò ðñïóáñìïóìÝíïõò êáíüíåò êáé èá áíôéêáôáóôÞóåôå ìå áõôü
åî'ïëïêëÞñïõ ôïõò åíóùìáôùìÝíïõò êáíüíåò ôïõ firewall:</para>
<screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen>
<para>Ç åðéëïãÞ <option>-Fa</option> áäåéÜæåé ôïõò êáíüíåò áðü ôïõò
åóùôåñéêïýò ðßíáêåò ôïõ firewall.</para>
<para>Ç åðéëïãÞ <option>-f</option> êáèïñßæåé ôï áñ÷åßï ôùí êáíüíùí ðïõ
èá öïñôùèåß.</para>
<para>Áõôü óáò äßíåé ôçí äõíáôüôçôá íá áëëÜîåôå ôï áñ÷åßï êáíüíùí óáò,
íá åêôåëÝóåôå ôçí åíôïëÞ IPF ðïõ áíáöÝñáìå ðáñáðÜíù, êáé
íá áíáíåþóåôå ìå áõôü ôïí ôñüðï ôïõò êáíüíåò óôï firewall ðïõ
åêôåëåßôáé Þäç ìå êáéíïýñãéïõò, ÷ùñßò íá ÷ñåéáóôåß íá åðáíåêêéíÞóåôå
ôï óýóôçìá óáò. Ç ìÝèïäïò áõôÞ åßíáé ðïëý âïëéêÞ ãéá íá äïêéìÜóåôå
íÝïõò êáíüíåò, êáèþò ìðïñåß íá åðáíáëçöèåß üóåò öïñÝò èÝëåôå.</para>
<para>Äåßôå ôç óåëßäá manual ôïõ &man.ipf.8; ãéá ëåðôïìÝñåéåò ó÷åôéêÜ ìå
ôéò õðüëïéðåò åðéëïãÝò ðïõ ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ìå ôçí åíôïëÞ
áõôÞ.</para>
<para>Ç åíôïëÞ &man.ipf.8; áíáìÝíåé Ýíá áðëü áñ÷åßï êåéìÝíïõ ùò áñ÷åßï
êáíüíùí. Äåí èá äå÷èåß áñ÷åßï êáíüíùí ãñáììÝíï ùò script ìå
óõìâïëéêÝò áíôéêáôáóôÜóåéò.</para>
<para>ÕðÜñ÷åé ùóôüóï ôñüðïò íá ãñÜøåôå êáíüíåò IPF ðïõ íá ÷ñçóéìïðïéïýí
ôçí éó÷ý ôùí óõìâïëéêþí áíôéêáôáóôÜóåùí. Ãéá ðåñéóóüôåñåò
ðëçñïöïñßåò, äåßôå ôï
<xref linkend="firewalls-ipf-rules-script"/>.</para>
</sect2>
<sect2>
<title>IPFSTAT</title>
<indexterm><primary><command>ipfstat</command></primary></indexterm>
<indexterm>
<primary>IPFILTER</primary>
<secondary>statistics</secondary>
</indexterm>
<para>Ç ðñïåðéëåãìÝíç óõìðåñéöïñÜ ôïõ &man.ipfstat.8; åßíáé íá áíáêôÜ
êáé íá áðåéêïíßæåé ôï óýíïëï ôùí óôáôéóôéêþí ðïõ óõãêåíôñþèçêáí ùò
áðïôÝëåóìá ôçò åöáñìïãÞò ôùí êáíüíùí ôïõ ÷ñÞóôç óôá ðáêÝôá ðïõ
åéóÝñ÷ïíôáé êáé åîÝñ÷ïíôáé áðü ôï firewall, áðü ôç óôéãìÞ ôçò
ôåëåõôáßáò ôïõ åêêßíçóçò Þ áðü ôïí ôåëåõôáßï ôïõò ìçäåíéóìü ìÝóù ôçò
åíôïëÞò <command>ipf -Z</command>.</para>
<para>Äåßôå ôç óåëßäá manual &man.ipfstat.8; ãéá ëåðôïìÝñåéåò.</para>
<para>Ç ðñïåðéëåãìÝíç Ýîïäïò ôçò åíôïëÞò &man.ipfstat.8; èá ìïéÜæåé ìå
ôçí ðáñáêÜôù:</para>
<screen>input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 <acronym>TCP</acronym> RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
<acronym>TCP</acronym> cksum fails(in): 0 (out): 0
Packet log flags set: (0)</screen>
<para>¼ôáí ÷ñçóéìïðïéçèåß ç åðéëïãÞ <option>-i</option> ãéá ôá
åéóåñ÷üìåíá Þ ç åðéëïãÞ <option>-o</option> ãéá ôá åîåñ÷üìåíá ðáêÝôá,
ç åíôïëÞ èá áíáêôÞóåé êáé èá áðåéêïíßóåé ôçí áíôßóôïé÷ç ëßóôá
êáíüíùí ðïõ åßíáé åãêáôåóôçìÝíç êáé ÷ñçóéìïðïéåßôáé áðü ôïí ðõñÞíá ôç
äåäïìÝíç óôéãìÞ.</para>
<para>Ç åíôïëÞ <command>ipfstat -in</command> äåß÷íåé Ýíá áñéèìçìÝíï
ðßíáêá êáíüíùí ãéá åéóåñ÷üìåíá ðáêÝôá.</para>
<para>Ç åíôïëÞ <command>ipfstat -on</command> äåß÷íåé Ýíá áñéèìçìÝíï
ðßíáêá êáíüíùí ãéá åîåñ÷üìåíá ðáêÝôá.</para>
<para>Ç Ýîïäïò èá ìïéÜæåé ìå ôçí ðáñáêÜôù:</para>
<screen>@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
<para>Ç åíôïëÞ <command>ipfstat -ih</command> äåß÷íåé ôïí ðßíáêá
êáíüíùí ãéá ôá åéóåñ÷üìåíá ðáêÝôá, ôïðïèåôþíôáò ìðñïóôÜ áðü ôïí
êÜèå êáíüíá Ýíá áñéèìü ðïõ äåß÷íåé ðüóåò öïñÝò Ý÷åé
÷ñçóéìïðïéçèåß.</para>
<para>Ç åíôïëÞ <command>ipfstat -oh</command> äåß÷íåé ôïí ðßíáêá
êáíüíùí ãéá ôá åîåñ÷üìåíá ðáêÝôá, ôïðïèåôþíôáò ìðñïóôÜ áðü ôïí
êÜèå êáíüíá Ýíá áñéèìü ðïõ äåß÷íåé ðüóåò öïñÝò Ý÷åé
÷ñçóéìïðïéçèåß.</para>
<para>Ç Ýîïäïò èá ìïéÜæåé ìå ôçí ðáñáêÜôù:</para>
<screen>2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
<para>Ìéá áðü ôéò ðéï óçìáíôéêÝò ëåéôïõñãßåò ôçò åíôïëÞò
<command>ipfstat</command> åßíáé ç åðéëïãÞ <option>-t</option> ç
ïðïßá áðåéêïíßæåé ôïí ðßíáêá êáôáóôÜóåùí, ìå ôñüðï üìïéï ìå áõôü
ðïõ ÷ñçóéìïðïéåß ç åíôïëÞ &man.top.1; ãéá íá äåßîåé ôïí ðßíáêá
äéåñãáóéþí ðïõ åêôåëïýíôáé óôï &os;. ¼ôáí ôï firewall óáò äÝ÷åôáé
åðßèåóç, ç ëåéôïõñãßá áõôÞ óáò äßíåé ôçí äõíáôüôçôá íá áíáãíùñßóåôå
êáé íá åóôéÜóåôå óôá ßäéá ôá ðáêÝôá ðïõ ôçí áðïôåëïýí.
Ïé ðñïáéñåôéêÝò õðï-åðéëïãÝò óáò äßíïõí ôçí äõíáôüôçôá íá åðéëÝîåôå
ôï IP áöåôçñßáò Þ ðñïïñéóìïý, ôçí èýñá, Þ ôï ðñùôüêïëëï ôï ïðïßï
èÝëåôå íá ðáñáêïëïõèÞóåôå óå ðñáãìáôéêü ÷ñüíï. Äåßôå ôç óåëßäá
manual ôïõ &man.ipfstat.8; ãéá ðåñéóóüôåñåò ëåðôïìÝñåéåò.</para>
</sect2>
<sect2>
<title>IPMON</title>
<indexterm><primary><command>ipmon</command></primary></indexterm>
<indexterm>
<primary>IPFILTER</primary>
<secondary>logging</secondary>
</indexterm>
<para>Ãéá íá ëåéôïõñãÞóåé óùóôÜ ç åíôïëÞ <command>ipmon</command>,
èá ðñÝðåé íá åíåñãïðïéçèåß ç åðéëïãÞ <literal>IPFILTER_LOG</literal>
óôïí ðõñÞíá. Ç åíôïëÞ áõôÞ äéáèÝôåé äýï äéáöïñåôéêïýò ôñüðïõò
ëåéôïõñãßáò. Ï ðñïåðéëåãìÝíïò êáíïíéêüò ôñüðïò ëåéôïõñãßáò
åíåñãïðïéåßôáé üôáí ç åíôïëÞ ÷ñçóéìïðïéåßôáé ÷ùñßò ôçí åðéëïãÞ
<option>-D</option>.</para>
<para>Ç åíôïëÞ ìðïñåß íá ÷ñçóéìïðïéçèåß óå ëåéôïõñãßá äáßìïíá üôáí
åðéèõìåßôå íá Ý÷åôå Ýíá óõíå÷üìåíï áñ÷åßï êáôáãñáöÞò þóôå íá ìðïñåßôå
íá åîåôÜóåôå ôéò ðñïçãïýìåíåò åããñáöÝò. Áõôüò åßíáé êáé ï ôñüðïò ìå
ôïí ïðïßï Ý÷åé ñõèìéóôåß íá óõíåñãÜæåôáé ôï &os; ìå ôï IPFILTER.
Ôï &os; Ý÷åé åíóùìáôùìÝíç äõíáôüôçôá åíáëëáãÞò áñ÷åßùí êáôáãñáöÞò.
Ãéá áõôü ôï ëüãï, åßíáé êáëýôåñï ç êáôáãñáöÞ íá ãßíåôáé ìÝóù ôïõ
&man.syslogd.8; ðáñÜ óå Ýíá óõíçèéóìÝíï áñ÷åßï. Áðü ðñïåðéëïãÞ, ç
ñýèìéóç <literal>ipmon_flags</literal> óôï áñ÷åßï
<filename>rc.conf</filename> ÷ñçóéìïðïéåß ôéò åðéëïãÝò
<option>-Ds</option>:</para>
<programlisting>ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to names</programlisting>
<para>Ôá ðëåïíåêôÞìáôá ôçò êáôáãñáöÞò åßíáé ðñïöáíÞ. ÐáñÝ÷åé ôçí
äõíáôüôçôá åðéóêüðçóçò ðëçñïöïñéþí üðùò ôá ðáêÝôá ðïõ áðïññßöèçêáí,
ôéò äéåõèýíóåéò áðü ôéò ïðïßåò ëÞöèçêáí, êáé ôïí ðñïïñéóìü ôïõò.
¸÷åôå Ýôóé Ýíá óçìáíôéêü ðëåïíÝêôçìá üôáí ðñïóðáèåßôå íá áíáãíùñßóåôå
Ýíá åéóâïëÝá.</para>
<para>Áêüìá êáé üôáí åíåñãïðïéÞóåôå ôçí äõíáôüôçôá êáôáãñáöÞò, ôï IPF
äåí èá êáôáãñÜøåé ôßðïôá áí äåí Ý÷åé ãßíåé ç áíôßóôïé÷ç ñýèìéóç óôïõò
êáíüíåò. Ï äéá÷åéñéóôÞò ôïõ firewall áðïöáóßæåé ãéá ðïéïõò êáíüíåò
ôïõ óåô èÝëåé íá åíåñãïðïéÞóåé ôçí êáôáãñáöÞ, êáé ðñïóèÝôåé óå áõôïýò
ôçí ëÝîç log. ÖõóéïëïãéêÜ, ç êáôáãñáöÞ åíåñãïðïéåßôáé ìüíï óå êáíüíåò
ðïõ áðïññßðôïõí ðáêÝôá.</para>
<para>Åßíáé ðïëý óõíçèéóìÝíï íá ðåñéëáìâÜíåôáé Ýíáò êáíüíáò óôï ôÝëïò
ôïõ óõíüëïõ, ðïõ íá áðïññßðôåé áðü ðñïåðéëïãÞ üëá ôá ðáêÝôá ðïõ
öôÜíïõí ìÝ÷ñé åêåß (default deny). Ìå ôïí ôñüðï áõôü ìðïñåßôå íá
äåßôå üëá ôá ðáêÝôá ðïõ äåí ôáßñéáîáí ìå êáíÝíá êáíüíá ôïõ óåô.</para>
</sect2>
<sect2>
<title>ÊáôáãñáöÞ ôïõ IPMON</title>
<para>Ôï <application>syslogd</application> ÷ñçóéìïðïéåß ôç äéêÞ ôïõ
åéäéêÞ ìÝèïäï ãéá ôï äéá÷ùñéóìü ôùí äåäïìÝíùí êáôáãñáöÞò.
ÄéáèÝôåé åéäéêÝò ïìáäïðïéÞóåéò ðïõ ïíïìÜæïíôáé
<quote>facility</quote> êáé <quote>level</quote>. ¼ôáí ôï IPMON
÷ñçóéìïðïéåßôáé ìå ôçí åðéëïãÞ <option>-Ds</option>, ÷ñçóéìïðïéåß
áðü ðñïåðéëïãÞ ôï <literal>local0</literal> ùò üíïìá
<quote>facility</quote>. Áí ôï åðéèõìåßôå, ìðïñåßôå íá
÷ñçóéìïðïéÞóåôå ôá ðáñáêÜôù åðßðåäá ãéá ðåñáéôÝñù äéá÷ùñéóìü ôùí
äåäïìÝíùí êáôáãñáöÞò:</para>
<screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short</screen>
<!-- XXX: "can be considered short" == "with incomplete header" -->
<para>Ãéá íá ñõèìßóåôå ôï IPFILTER íá êáôáãñÜöåé üëá ôá äåäïìÝíá óôï
<filename>/var/log/ipfilter.log</filename>, èá ÷ñåéáóôåß íá
äçìéïõñãÞóåôå áðü ðñéí ôï áñ÷åßï. Áõôü ìðïñåß íá ãßíåé ìå ôçí
ðáñáêÜôù åíôïëÞ:</para>
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
<para>Ç ëåéôïõñãßá ôïõ &man.syslogd.8; ìðïñåß íá ñõèìéóôåß ìå
êáôá÷ùñßóåéò óôï áñ÷åßï <filename>/etc/syslog.conf</filename>.
Ôï áñ÷åßï <filename>syslog.conf</filename> ðñïóöÝñåé óçìáíôéêÞ
åõåëéîßá óôïí ôñüðï ìå ôïí ïðïßï ôï <application>syslog</application>
áíôéìåôùðßæåé ôá ìçíýìáôá óõóôÞìáôïò ðïõ ðñïÝñ÷ïíôáé áðü åöáñìïãÝò
üðùò ôï IPF.</para>
<para>ÐñïóèÝóôå ôçí ðáñáêÜôù êáôá÷þñéóç óôï áñ÷åßï
<filename>/etc/syslog.conf</filename>:</para>
<programlisting>local0.* /var/log/ipfilter.log</programlisting>
<para>Ôï <literal>local0.*</literal> óçìáßíåé üôé èá ãßíåôáé
êáôáãñáöÞ üëùí ôùí ìçíõìÜôùí áõôïý ôïõ ôýðïõ óôçí ôïðïèåóßá ðïõ Ý÷åé
ïñéóôåß.</para>
<para>Ãéá íá åíåñãïðïéÞóåôå ôéò áëëáãÝò óôï
<filename>/etc/syslog.conf</filename> èá ðñÝðåé íá åðáíåêêéíÞóåôå ôï
ìç÷Üíçìá Þ íá áíáãêÜóåôå ôï &man.syslogd.8; íá îáíáäéáâÜóåé ôï
<filename>/etc/syslog.conf</filename>, åêôåëþíôáò ôçí åíôïëÞ
<command>/etc/rc.d/syslogd reload</command></para>
<para>Ìçí îå÷Üóåôå íá ôñïðïðïéÞóåôå ôï
<filename>/etc/newsyslog.conf</filename> þóôå íá åíáëëÜóóåé ôï áñ÷åßï
êáôáãñáöÞò ðïõ äçìéïõñãÞóáôå ðáñáðÜíù.</para>
</sect2>
<sect2>
<title>Ç ÌïñöÞ ôùí ÌçíõìÜôùí ÊáôáãñáöÞò</title>
<para>Ôá ìçíýìáôá ðïõ ðáñÜãïíôáé áðü ôçí <command>ipmon</command>
áðïôåëïýíôáé áðü ðåäßá äåäïìÝíùí ðïõ ÷ùñßæïíôáé áðü ëåõêü äéÜóôçìá.
Ôá ðåäßá ðïõ åßíáé êïéíÜ óå üëá ôá ìçíýìáôá, åßíáé ôá ðáñáêÜôù:</para>
<orderedlist>
<listitem>
<para>Ç çìåñïìçíßá ðáñáëáâÞò ôïõ ðáêÝôïõ</para>
</listitem>
<listitem>
<para>Ç þñá ðáñáëáâÞò ôïõ ðáêÝôïõ. ¸÷åé ôçí ìïñöÞ HH:MM:SS.F,
ç ïðïßá õðïäçëþíåé þñåò, ëåðôÜ, äåõôåñüëåðôá êáé êëÜóìáôá
äåõôåñïëÝðôïõ (ôá ïðïßá ìðïñåß íá åßíáé ðïëëÜ äåêáäéêÜ
øçößá).</para>
</listitem>
<listitem>
<para>Ôï üíïìá ôçò äéåðáöÞò óôçí ïðïßá Ýãéíå ç åðåîåñãáóßá ôïõ
ðáêÝôïõ ð.÷. <devicename>dc0</devicename>.</para>
</listitem>
<listitem>
<para>Ï áñéèìüò ïìÜäáò êáé ï áýîùí áñéèìüò ôïõ êáíüíá, ð.÷.
<literal>@0:17</literal>.</para>
</listitem>
</orderedlist>
<para>Ìðïñåßôå íá äåßôå ôá ðáñáêÜôù ìå ôçí åíôïëÞ
<command>ipfstat -in</command>:</para>
<orderedlist>
<listitem>
<para>Ôï åßäïò ôçò åíÝñãåéáò: p áí ôï ðáêÝôï ðÝñáóå, b áí ôï ðáêÝôï
áðïññßöèçêå, S ãéá óýíôïìï ðáêÝôï, n áí äåí ôáßñéáîå ìå êáíÝíá
êáíüíá, L ãéá êáíüíá ìå êáôáãñáöÞ. Ç óåéñÜ ðñïôåñáéüôçôáò óôçí
áðåéêüíéóç ôùí ðáñáðÜíù, åßíáé S, p, b, n, L. Ôï êåöáëáßï P Þ
ôï B óçìáßíïõí üôé ç êáôáãñáöÞ ôïõ ðáêÝôïõ Ýãéíå ëüãù êÜðïéáò
ãåíéêÞò ñýèìéóçò êáôáãñáöÞò êáé ü÷é åîáéôßáò êÜðïéïõ
êáíüíá.</para>
</listitem>
<listitem>
<para>Ïé äéåõèýíóåéò. Ðñüêåéôáé óôçí ðñáãìáôéêüôçôá ãéá ôñßá
ðåäßá: ôç äéåýèõíóç êáé ôç èýñá áöåôçñßáò (÷ùñßæïíôáé ìå êüììá),
ôï óýìâïëï -> êáé ôçí äéåýèõíóç êáé èýñá ðñïïñéóìïý, ð.÷.
<literal>209.53.17.22,80 -> 198.73.220.17,1722</literal>.</para>
</listitem>
<listitem>
<para>Ôï <literal>PR</literal> áêïëïõèïýìåíï áðü ôï üíïìá Þ ôïí
áñéèìü ôïõ ðñùôïêüëëïõ, ð.÷. <literal>PR tcp</literal>.</para>
</listitem>
<listitem>
<para>Ôï <literal>len</literal> áêïëïõèïýìåíï áðü ôï ìÞêïò ôçò
åðéêåöáëßäáò êáé ôï óõíïëéêü ìÞêïò ôïõ ðáêÝôïõ, ð.÷.
<literal>len 20 40</literal>.</para>
</listitem>
</orderedlist>
<para>Áí ðñüêåéôáé ãéá ðáêÝôï <acronym>TCP</acronym>, èá õðÜñ÷åé Ýíá
åðéðëÝïí ðåäßï ôï ïðïßï èá îåêéíÜåé ìå ìéá ðáýëá êáé èá áêïëïõèåßôáé
áðü ãñÜììáôá ôá ïðïßá áíôéóôïé÷ïýí óôéò åðéëïãÝò (flags) ðïõ Ý÷ïõí
ôåèåß. Äåßôå ôç óåëßäá manual &man.ipf.5; ãéá ôç ëßóôá ôùí
ãñáììÜôùí êáé ôùí áíôßóôïé÷ùí flags.</para>
<para>Áí ðñüêåéôáé ãéá ðáêÝôï ICMP, èá õðÜñ÷ïõí äýï ðåäßá óôï ôÝëïò,
ôï ðñþôï èá åßíáé ðÜíôá <quote>ICMP</quote> êáé ôï åðüìåíï èá åßíáé
ï ôýðïò ôïõ ìçíýìáôïò êáé ôïõ õðü-ìçíýìáôïò ICMP, ÷ùñéóìÝíá ìå ìéá
êÜèåôï, ð.÷. ICMP 3/3 ãéá Ýíá ìÞíõìá ìç ðñïóâÜóéìçò èýñáò (port
unreachable).</para>
</sect2>
<sect2 id="firewalls-ipf-rules-script">
<title>Äçìéïõñãßá Script Êáíüíùí ìå ÓõìâïëéêÞ ÕðïêáôÜóôáóç</title>
<para>ÏñéóìÝíïé Ýìðåéñïé ÷ñÞóôåò ôïõ IPF äçìéïõñãïýí Ýíá áñ÷åßï
êáíüíùí ôï ïðïßï ìðïñåß íá åêôåëåóôåß ùò script ìå äõíáôüôçôá
óõìâïëéêÞò õðïêáôÜóôáóçò. Ôï âáóéêü üöåëïò ôïõ ðáñáðÜíù, åßíáé üôé
÷ñåéÜæåôáé íá áëëÜîåôå ìüíï ôçí ôéìÞ ðïõ ó÷åôßæåôáé ìå ôï óõìâïëéêü
üíïìá êáé üôáí ôï script åêôåëåóôåß, ç ôéìÞ èá õðïêáôáóôáèåß óå üëïõò
ôïõò êáíüíåò ðïõ ðåñéÝ÷ïõí ôï üíïìá áõôü. Êáèþò ðñüêåéôáé ãéá
script, ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå óõìâïëéêÞ õðïêáôÜóôáóç ãéá íá
êùäéêïðïéÞóåôå óõ÷íÜ ÷ñçóéìïðïéïýìåíåò ôéìÝò êáé íá ôéò õðïêáèéóôÜôå
óå ðïëëáðëïýò êáíüíåò. Áõôü öáßíåôáé êáé óôï ðáñÜäåéãìá ðïõ
áêïëïõèåß.</para>
<para>Ç óýíôáîç ôïõ script ðïõ ÷ñçóéìïðïéåßôáé åäþ, åßíáé óõìâáôÞ ìå ôá
êåëýöç &man.sh.1;, &man.csh.1;, êáé &man.tcsh.1;.</para>
<para>Ôá ðåäßá óôá ïðïßá ãßíåôáé óõìâïëéêÞ õðïêáôÜóôáóç ðñïóçìåéþíïíôáé
ìå ôï óÞìá ôïõ äïëáñßïõ: <literal>$</literal>.</para>
<para>Ôá óõìâïëéêÜ ðåäßá äåí Ý÷ïõí ôçí ðñïóçìåßùóç ìå ôï
$.</para>
<para>Ç ôéìÞ ðïõ èá ÷ñçóéìïðïéçèåß óôï óõìâïëéêü ðåäßï, èá ðñÝðåé íá
åóùêëåßåôáé óå äéðëÜ åéóáãùãéêÜ (<literal>"</literal>).</para>
<para>ÎåêéíÞóôå ôï áñ÷åßï ôùí êáíüíùí óáò ìå êÜôé áíôßóôïé÷ï ìå ôï
ðáñáêÜôù:</para>
<programlisting>############# Start of IPF rules script ########################
oif="dc0" # name of the outbound interface
odns="192.0.2.11" # ISP's DNS server IP address
myip="192.0.2.7" # my static IP address from ISP
ks="keep state"
fks="flags S keep state"
# You can choose between building /etc/ipf.rules file
# from this script or running this script "as is".
#
# Uncomment only one line and comment out another.
#
# 1) This can be used for building /etc/ipf.rules:
#cat > /etc/ipf.rules << EOF
#
# 2) This can be used to run script "as is":
/sbin/ipf -Fa -f - << EOF
# Allow out access to my ISP's Domain name server.
pass out quick on $oif proto tcp from any to $odns port = 53 $fks
pass out quick on $oif proto udp from any to $odns port = 53 $ks
# Allow out non-secure standard www function
pass out quick on $oif proto tcp from $myip to any port = 80 $fks
# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from $myip to any port = 443 $fks
EOF
################## End of IPF rules script ########################</programlisting>
<para>Áõôü åßíáé üëï. Óôï ðáñáðÜíù ðáñÜäåéãìá äåí åßíáé óçìáíôéêïß
ïé êáíüíåò, áëëÜ ï ôñüðïò ìå ôïí ïðïßï ëåéôïõñãïýí êáé ðáßñíïõí ôéìÝò
ôá ðåäßá õðïêáôÜóôáóçò. Áí ôï ðáñáðÜíù ðáñÜäåéãìá âñßóêïíôáí óå Ýíá
áñ÷åßï ìå ôï üíïìá <filename>/etc/ipf.rules.script</filename>,
èá ìðïñïýóáôå íá åðáíáöïñôþóåôå áõôïýò ôïõò êáíüíåò ìå ôçí ðáñáêÜôù
åíôïëÞ:</para>
<screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen>
<para>ÕðÜñ÷åé Ýíá ðñüâëçìá üôáí ÷ñçóéìïðïéïýíôáé áñ÷åßá êáíüíùí ìå
åíóùìáôùìÝíïõò óõìâïëéóìïýò: Ôï IPF äåí êáôáëáâáßíåé ôç óõìâïëéêÞ
õðïêáôÜóôáóç, êáé äåí ìðïñåß íá äéáâÜóåé áõôÜ ôá scripts Üìåóá.</para>
<para>¸íá ôÝôïéï script ìðïñåß íá ÷ñçóéìïðïéçèåß ìå Ýíá áðü ôïõò äýï
ðáñáêÜôù ôñüðïõò:</para>
<itemizedlist>
<listitem>
<para>ÁöáéñÝóôå ôï ó÷üëéï áðü ôç ãñáììÞ ðïõ îåêéíÜåé ìå
<literal>cat</literal>, êáé ìåôáôñÝøôå óå ó÷üëéï ôç ãñáììÞ ðïõ
îåêéíÜåé ìå <literal>/sbin/ipf</literal>. ÔïðïèåôÞóôå ôï
<literal>ipfilter_enable="YES"</literal> óôï áñ÷åßï
<filename>/etc/rc.conf</filename> üðùò óõíÞèùò, êáé åêôåëÝóôå
ôï script ìéá öïñÜ ìåôÜ áðü êÜèå áëëáãÞ ãéá íá äçìéïõñãÞóåôå Þ íá
åíçìåñþóåôå ôï <filename>/etc/ipf.rules</filename>.</para>
</listitem>
<listitem>
<para>ÁðåíåñãïðïéÞóôå ôï IPFILTER óôá scripts åêêßíçóçò ôïõ
óõóôÞìáôïò, ðñïóèÝôïíôáò ôçí êáôá÷þñéóç
<literal>ipfilter_enable="NO"</literal> (ðñüêåéôáé ãéá ôçí
ðñïåðéëåãìÝíç ôéìÞ) óôï áñ÷åßï
<filename>/etc/rc.conf</filename>.</para>
<para>ÐñïóèÝóôå Ýíá script üðùò ôï ðáñáêÜôù óôïí êáôÜëïãï åêêßíçóçò
<filename class="directory">/usr/local/etc/rc.d/</filename>. Ôï
script èá ðñÝðåé íá Ý÷åé Ýíá ðñïöáíÝò üíïìá, üðùò
<filename>ipf.loadrules.sh</filename>. Ç åðÝêôáóç
<filename>.sh</filename> åßíáé õðï÷ñåùôéêÞ.</para>
<programlisting>#!/bin/sh
sh /etc/ipf.rules.script</programlisting>
<para>Ïé Üäåéåò óå áõôü ôï áñ÷åßï, èá ðñÝðåé íá åðéôñÝðïõí áíÜãíùóç,
åããñáöÞ êáé åêôÝëåóç ãéá ôïí ÷ñÞóôç
<username>root</username>.</para>
<screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
</listitem>
</itemizedlist>
<para>Ïé êáíüíåò ôïõ IPF èá öïñôþíïíôáé ðëÝïí êáôÜ ôçí åêêßíçóç ôïõ
óõóôÞìáôïò óáò.</para>
</sect2>
<sect2>
<title>Ôï Óýíïëï Êáíüíùí ôïõ IPF</title>
<para>Ùò <quote>óýíïëï êáíüíùí</quote> óôï IPF, ïñßæïõìå ìéá ïìÜäá
êáíüíùí ðïõ Ý÷ïõí ãñáöåß ãéá íá åðéôñÝðïõí Þ íá áðïññßðôïõí ðáêÝôá
áíÜëïãá ìå ôéò ôéìÝò ðïõ ðåñéÝ÷ïíôáé óå áõôÜ. Ç äéðëÞò êáôåýèõíóçò
áíôáëëáãÞ ðáêÝôùí ìåôáîý õðïëïãéóôþí áðïôåëåß ìéá óõíåäñßá.
Ôï óýíïëï êáíüíùí ôïõ firewall åðåîåñãÜæåôáé ôüóï ôá ðáêÝôá ðïõ
Ýñ÷ïíôáé áðü ôï Internet, üóï êáé ôá ðáêÝôá ðïõ ðáñÜãïíôáé áðü ôï
óýóôçìá ùò áðÜíôçóç óå áõôÜ. ÊÜèå õðçñåóßá <acronym>TCP/IP</acronym>
(ð.÷. telnet, www, mail, ê.ë.ð.) êáèïñßæåôáé áðü ôï ðñùôüêïëëï êáé
ôçí ðñïíïìéáêÞ (privileged) èýñá ðïõ ÷ñçóéìïðïéåß ãéá íá äÝ÷åôáé
áéôÞìáôá åîõðçñÝôçóçò. Ôá ðáêÝôá ðïõ ðñïïñßæïíôáé ãéá ìéá
óõãêåêñéìÝíç õðçñåóßá, îåêéíïýí áðü ôç äéåýèõíóç áöåôçñßáò
÷ñçóéìïðïéþíôáò ìéá ìç-ðñïíïìéáêÞ èýñá êáé êáôáëÞãïõí óôç
óõãêåêñéìÝíç èýñá õðçñåóßáò óôïí ðñïïñéóìü. ¼ëåò ïé ðáñáðÜíù
ðáñÜìåôñïé (èýñåò êáé äéåõèýíóåéò) ìðïñïýí íá ÷ñçóéìïðïéçèïýí
ùò êñéôÞñéá åðéëïãÞò ãéá ôçí äçìéïõñãßá êáíüíùí ðïõ åðéôñÝðïõí
Þ åìðïäßæïõí ôçí ðñüóâáóç óå õðçñåóßåò.</para>
<indexterm>
<primary>IPFILTER</primary>
<secondary>rule processing order</secondary>
</indexterm>
<para>Ôï IPF ãñÜöôçêå áñ÷éêÜ ÷ñçóéìïðïéþíôáò ìéá ëïãéêÞ åðåîåñãáóßáò
êáíüíùí ôïõ ôýðïõ <quote>ï ôåëåõôáßïò êáíüíáò ðïõ ôáéñéÜæåé, åßíáé ï
íéêçôÞò</quote> êáé ÷ñçóéìïðïéïýóå ìüíï êáíüíåò stateless. Ìå ôçí
ðÜñïäï ôïõ ÷ñüíïõ, ôï IPF åíéó÷ýèçêå ìå ôçí åðéëïãÞ
<quote>quick</quote> êáé ìå äõíáôüôçôá áðïèÞêåõóçò êáôÜóôáóçò
ìÝóù ôçò åðéëïãÞò <quote>keep state</quote>. Ìå ôïí ôñüðï áõôü,
åêóõã÷ñïíßóôçêå äñáìáôéêÜ ç ëïãéêÞ åðåîåñãáóßáò ôùí êáíüíùí.</para>
<para>Ïé ïäçãßåò ðïõ ðåñéÝ÷ïíôáé óå áõôÞ ôçí åíüôçôá âáóßæïíôáé óôç
÷ñÞóç êáíüíùí ðïõ ðåñéÝ÷ïõí ôçí åðéëïãÞ <quote>quick</quote> êáé ôçí
åðéëïãÞ <quote>keep state</quote> ãéá ôç äéáôÞñçóç ôçò êáôÜóôáóçò.
ÁõôÝò åßíáé êáé ïé âáóéêÝò ëåéôïõñãßåò ãéá ôçí êùäéêïðïßçóç ôïõ
óõíüëïõ êáíüíùí åíüò inclusive firewall.</para>
<warning>
<para>¼ôáí äïõëåýåôå ìå ôïõò êáíüíåò ôïõ firewall, èá ðñÝðåé íá åßóôå
<emphasis>ðïëý ðñïóåêôéêïß</emphasis>. Áí âÜëåôå ëáíèáóìÝíåò
ñõèìßóåéò, ìðïñåß íá <emphasis>êëåéäùèåßôå Ýîù</emphasis> áðü ôïí
åîõðçñåôçôÞ óáò. Ãéá íá åßóôå áóöáëåßò, åßíáé ðñïôéìüôåñï íá
êÜíåôå ôéò áñ÷éêÝò óáò ñõèìßóåéò áðü ôçí ôïðéêÞ êïíóüëá, ðáñÜ ìÝóù
áðïìáêñõóìÝíçò óýíäåóçò (ð.÷. ìÝóù
<application>ssh</application>).</para>
</warning>
</sect2>
<sect2>
<title>Óõíôáêôéêü Êáíüíùí</title>
<indexterm>
<primary>IPFILTER</primary>
<secondary>rule syntax</secondary>
</indexterm>
<para>Ôï óõíôáêôéêü ôùí êáíüíùí ðïõ ðáñïõóéÜæïõìå åäþ, Ý÷åé áðëïðïéçèåß
þóôå íá áðåéêïíßæåé ôç óýã÷ñïíç stateful õëïðïßçóç êáé ôç ëïãéêÞ
ôïõ ôýðïõ <quote>ï ðñþôïò êáíüíáò ðïõ ôáéñéÜæåé åßíáé êáé ï
íéêçôÞò</quote>. Ãéá ôçí ðåñéãñáöÞ ôïõ ðáëéüôåñïõ ôñüðïõ ëåéôïõñãßáò,
äéáâÜóôå ôç óåëßäá manual ôïõ &man.ipf.8;.</para>
<para>Ï ÷áñáêôÞñáò <literal>#</literal> ÷ñçóéìïðïéåßôáé ãéá íá
åðéóçìÜíåé ôçí áñ÷Þ åíüò ó÷ïëßïõ, êáé ìðïñåß íá åìöáíßæåôáé óôï ôÝëïò
ìéáò ãñáììÞò êáíüíá Þ óôç äéêÞ ôïõ ãñáììÞ. Ïé êåíÝò ãñáììÝò
áãíïïýíôáé.</para>
<para>Ïé êáíüíåò ðåñéÝ÷ïõí ëÝîåéò-êëåéäéÜ. Ïé ëÝîåéò áõôÝò èá ðñÝðåé
íá êùäéêïðïéçèïýí ìå óõãêåêñéìÝíç óåéñÜ áðü ôá áñéóôåñÜ ðñïò ôá äåîéÜ
ôçò ãñáììÞò. Ïé ëÝîåéò-êëåéäéÜ öáßíïíôáé ðáñáêÜôù ìå Ýíôïíá ãñÜììáôá.
ÌåñéêÝò ëÝîåéò Ý÷ïõí õðï-åðéëïãÝò ïé ïðïßåò ìðïñåß íá åßíáé åðßóçò
ëÝîåéò-êëåéäéÜ êáé íá ðåñéëáìâÜíïõí åðßóçò ðåñéóóüôåñåò õðï-åðéëïãÝò.
ÊÜèå ìéá áðü ôéò åðéêåöáëßäåò óôï ðáñÜäåéãìá ðïõ öáßíåôáé ðáñáêÜôù
Ý÷åé ìéá êåöáëßäá ìå Ýíôïíá ãñÜììáôá ç ïðïßá åðåîçãåß ôï ðåñéå÷üìåíï
ôçò.</para>
<!-- This section is probably wrong. See the OpenBSD flag -->
<!-- What is the "OpenBSD flag"? Reference please -->
<para><replaceable>ACTION IN-OUT OPTIONS SELECTION STATEFUL PROTO
SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG
STATEFUL</replaceable></para>
<para><replaceable>ACTION</replaceable> = block | pass</para>
<para><replaceable>IN-OUT</replaceable> = in | out</para>
<para><replaceable>OPTIONS</replaceable> = log | quick | on
interface-name</para>
<para><replaceable>SELECTION</replaceable> = proto value |
source/destination IP | port = number | flags
flag-value</para>
<para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp |
icmp</para>
<para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from
object to object</para>
<para><replaceable>OBJECT</replaceable> = IP address | any</para>
<para><replaceable>PORT_NUM</replaceable> = port number</para>
<para><replaceable>TCP_FLAG</replaceable> = S</para>
<para><replaceable>STATEFUL</replaceable> = keep state</para>
<sect3>
<title>ACTION</title>
<para>Ç åíÝñãåéá (action) äåß÷íåé ôé ðñÝðåé íá ãßíåé ìå ôï ðáêÝôï áí
ôáéñéÜæåé ìå ôïí êáíüíá ôïõ ößëôñïõ. ÊÜèå êáíüíáò
<emphasis>ðñÝðåé</emphasis> íá äéáèÝôåé ìéá åíÝñãåéá. Ïé åíÝñãåéåò
ðïõ áíáãíùñßæïíôáé, öáßíïíôáé ðáñáêÜôù:</para>
<para>Ôï <literal>block</literal> äåß÷íåé üôé ôï ðáêÝôï èá ðñÝðåé íá
áðïññéöèåß áí ôáéñéÜæåé ìå ôéò ðáñáìÝôñïõò åðéëïãÞò ôïõ
êáíüíá.</para>
<para>Ôï <literal>pass</literal> äåß÷íåé üôé ôï ðáêÝôï èá ðñÝðåé íá
åîÝëèåé áðü ôï firewall, áí ôáéñéÜæåé ìå ôéò ðáñáìÝôñïõò åðéëïãÞò
ôïõ êáíüíá.</para>
</sect3>
<sect3>
<title>IN-OUT</title>
<para>ÊÜèå êáíüíáò ôïõ ößëôñïõ ðñÝðåé õðï÷ñåùôéêÜ íá äéåõêñéíßæåé
ìå óáöÞíåéá áí áíáöÝñåôáé óôçí åßóïäï Þ ôçí Ýîïäï ðáêÝôùí.
Ç åðüìåíç ëÝîç-êëåéäß ðñÝðåé íá åßíáé <literal>in</literal> Þ
<literal>out</literal> êáé áí äåí õðÜñ÷åé, ï êáíüíáò èá áðïôý÷åé
êáôÜ ôï óõíôáêôéêü Ýëåã÷ï.</para>
<para>Ôï <literal>in</literal> óçìáßíåé üôé ï êáíüíáò èá åöáñìïóôåß
óå Ýíá åéóåñ÷üìåíï ðáêÝôï ôï ïðïßï ìüëéò ëÞöèçêå óôç äéåðáöÞ ðïõ
óõíäÝåôáé ìå ôï Äéáäßêôõï.</para>
<para>Ôï <literal>out</literal> óçìáßíåé üôé ï êáíüíáò èá åöáñìïóôåß
óå Ýíá ðáêÝôï ðïõ ðñïïñßæåôáé ãéá Ýîïäï ìÝóù ôçò äéåðáöÞò ðïõ
óõíäÝåôáé ìå ôï Äéáäßêôõï.</para>
</sect3>
<sect3>
<title>OPTIONS</title>
<note>
<para>Ïé ðáñáêÜôù åðéëïãÝò ðñÝðåé íá ÷ñçóéìïðïéçèïýí ìå ôç óåéñÜ
ðïõ öáßíïíôáé åäþ.</para>
</note>
<para>Ôï <literal>log</literal> äåß÷íåé üôé ç åðéêåöáëßäá ôïõ ðáêÝôïõ
èá ãñáöåß óôï áñ÷åßï êáôáãñáöÞò ôïõ
<!-- XXX - xref here -->
<devicename>ipl</devicename> (üðùò ðåñéãñÜöåôáé óôçí åíüôçôá
LOGGING ðïõ áêïëïõèåß) áí ïé ðáñÜìåôñïé ôçò åðéëïãÞò ôáéñéÜæïõí ìå
ôï ðáêÝôï.</para>
<para>To <literal>quick</literal> äåß÷íåé üôé áí ïé ðáñÜìåôñïé ôçò
åðéëïãÞò ôáéñéÜæïõí ìå ôï ðáêÝôï, ï óõãêåêñéìÝíïò êáíüíáò èá åßíáé
êáé ï ôåëåõôáßïò êáíüíáò ðïõ èá åëåã÷èåß. Ç åðéëïãÞ áõôÞ åßíáé
õðï÷ñåùôéêÞ ãéá ôç óýã÷ñïíç ëïãéêÞ åðåîåñãáóßáò ðáêÝôùí.</para>
<para>Ôï <literal>on</literal> äåß÷íåé ôï üíïìá ôçò äéåðáöÞò ðïõ èá
åíóùìáôùèåß óôéò ðáñáìÝôñïõò åðéëïãÞò. Ôá ïíüìáôá ôùí äéåðáöþí
öáßíïíôáé üôáí åêôåëåßôáé ç åíôïëÞ &man.ifconfig.8;.
×ñçóéìïðïéþíôáò ôçí åðéëïãÞ áõôÞ, ï êáíüíáò èá åëåã÷èåß ìüíï áí ôï
ðáêÝôï äéÝñ÷åôáé ìÝóù ôçò óõãêåêñéìÝíçò äéåðáöÞò êáé ðñïò ôç
óõãêåêñéìÝíç êáôåýèõíóç (åéóåñ÷üìåíá/åîåñ÷üìåíá). Ç åðéëïãÞ áõôÞ
åßíáé õðï÷ñåùôéêÞ ãéá ôçí óýã÷ñïíç ëïãéêÞ åðåîåñãáóßáò ôùí
êáíüíùí.</para>
<para>¼ôáí ãßíåôáé êáôáãñáöÞ åíüò ðáêÝôïõ, ïé åðéêåöáëßäåò ãñÜöïíôáé
óôçí øåõäï-óõóêåõÞ êáôáãñáöÞò ðáêÝôùí <acronym>IPL</acronym>.
ÌåôÜ ôçí åíôïëÞ <literal>log</literal>, ìðïñïýí íá ÷ñçóéìïðïéçèïýí
ïé ðáñáêÜôù ðáñÜìåôñïé (ìå ôç óåéñÜ ðïõ öáßíïíôáé):</para>
<para>Ôï <literal>body</literal> äåß÷íåé üôé èá ãßíåé êáôáãñáöÞ ôùí
ðñþôùí 128 bytes ôùí ðåñéå÷ïìÝíùí ôïõ ðáêÝôïõ, ðïõ âñßóêïíôáé áìÝóùò
ìåôÜ ôçí åðéêåöáëßäá.</para>
<para>Ç åðéëïãÞ <literal>first</literal> óõíßóôáôáé íá ÷ñçóéìïðïéçèåß
áí ç åðéëïãÞ <literal>log</literal> ÷ñçóéìïðïéåßôáé óå óõíäõáóìü
ìå ôçí <literal>keep state</literal>. Ìå ôïí ôñüðï áõôü ãßíåôáé
êáôáãñáöÞ ìüíï ôïõ ðñþôïõ ðáêÝôïõ (ìå ôï ïðïßï îåêßíçóå ç
åðéêïéíùíßá), êáé ü÷é üëùí ôùí õðïëïßðùí ôá ïðïßá ôáéñéÜæïõí ìå ôçí
ðëçñïöïñßá <quote>keep state</quote>.</para>
</sect3>
<sect3>
<title>SELECTION</title>
<para>Ïé ëÝîåéò êëåéäéÜ ðïõ ðåñéãñÜöïíôáé óå áõôÞ ôçí åíüôçôá,
÷ñçóéìïðïéïýíôáé ãéá íá ðåñéãñÜøïõí ðïéåò éäéüôçôåò ôïõ ðáêÝôïõ
èá äéåñåõíçèïýí ãéá íá êáèïñéóôåß áí ôáéñéÜæåé Þ ü÷é ìå ôïõò
êáíüíåò. Ìéá ëÝîç-êëåéäß ïñßæåé ôï êåíôñéêü èÝìá êáé áêïëïõèåßôáé
áðü Üëëåò ëÝîåéò ðïõ ïñßæïõí ôéò áêñéâåßò åðéëïãÝò. ÐñÝðåé ðÜíôïôå
íá åðéëÝãåôáé ìéá áðü áõôÝò ôéò ëÝîåéò. ÐáñÝ÷ïíôáé ïé ðáñáêÜôù
éäéüôçôåò ãåíéêÞò ÷ñÞóçò ïé ïðïßåò ðñÝðåé íá ÷ñçóéìïðïéçèïýí ìå
áõôÞ ôç óåéñÜ:</para>
</sect3>
<sect3>
<title>PROTO</title>
<para>Ôï <literal>proto</literal> åßíáé ç âáóéêÞ ëÝîç, êáé ðñÝðåé
íá ãñÜöåôáé ìáæß ìå êÜðïéá áíôßóôïé÷ç ôéìÞ ãéá ðåñáéôÝñù åðéëïãÞ.
Ç ôéìÞ åðéôñÝðåé ôï ôáßñéáóìá ìå Ýíá óõãêåêñéìÝíï ðñùôüêïëëï. Åßíáé
õðï÷ñåùôéêü íá ÷ñçóéìïðïéçèåß ãéá íá ëåéôïõñãåß ç óýã÷ñïíç ëïãéêÞ
åðåîåñãáóßáò ôùí êáíüíùí.</para>
<para>Ôá ïíüìáôá ðñùôïêüëëùí ðïõ áíáãíùñßæïíôáé êáé ìðïñïýí íá
÷ñçóéìïðïéçèïýí, åßíáé ôá
<literal>tcp/udp | udp | tcp | icmp</literal> Þ ïðïéáäÞðïôå Üëëá
åìöáíßæïíôáé óôï <filename>/etc/protocols</filename>. Ìðïñåßôå íá
÷ñçóéìïðïéÞóåôå ôï åéäéêü üíïìá <literal>tcp/udp</literal> ôï ïðïßï
ôáéñéÜæåé åßôå ìå ðáêÝôï <acronym>TCP</acronym> åßôå ìå
<acronym>UDP</acronym>. Ç åéäéêÞ áõôÞ ïíïìáóßá ðñïóôÝèçêå þóôå íá
áðïöåýãïíôáé äéðëïß, áëëÜ êáôÜ ôá Üëëá üìïéïé, êáíüíåò.</para>
</sect3>
<sect3>
<title>SRC_ADDR/DST_ADDR</title>
<para>Ç ëÝîç <literal>all</literal> åßíáé ïõóéáóôéêÜ óõíþíõìç ìå ôçí
öñÜóç <quote>from any to any</quote> ÷ùñßò íá õðÜñ÷ïõí Üëëåò
ðáñÜìåôñïé ãéá ôï ôáßñéáóìá.</para>
<para>¼ôáí ÷ñçóéìïðïéåßôáé ôï <literal>from src to dst</literal>, ïé
ëÝîåéò <literal>from</literal> êáé <literal>to</literal> äçëþíïõí
äéåõèýíóåéò IP ðïõ èá ÷ñçóéìïðïéçèïýí ãéá ôï ôáßñéáóìá. Ïé êáíüíåò
ðñÝðåé íá êáèïñßæïõí ôéò ðáñáìÝôñïõò ôüóï ôçò áöåôçñßáò üóï êáé ôïõ
ðñïïñéóìïý. Ç ëÝîç <literal>any</literal> Ý÷åé ôçí åéäéêÞ éäéüôçôá
íá ôáéñéÜæåé ìå ïðïéáäÞðïôå äéåýèõíóç IP. Ðáñáäåßãìáôá ÷ñÞóçò:
<literal>from any to any</literal> Þ
<literal>from 0.0.0.0/0 to any</literal> Þ
<literal>from any to 0.0.0.0/0</literal> Þ
<literal>from 0.0.0.0 to any</literal> Þ
<literal>from any to 0.0.0.0</literal>.</para>
<para>Äåí õðÜñ÷åé ôñüðïò íá ðåñéãñáöïýí ðåñéï÷Ýò IP äéåõèýíóåùí ðïõ
äåí ìðïñïýí íá åêöñáóôïýí åýêïëá ìå ôç ìïñöÞ áñéèìþí ÷ùñéóìÝíùí ìå
ôåëåßåò / ìÜóêáò õðïäéêôýïõ. Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ôï
âïçèçôéêü ðñüãñáììá <filename
role="package">net-mgmt/ipcalc</filename> ãéá äéåõêüëõíóç óáò
óôïõò õðïëïãéóìïýò. Äåßôå ôçí äéêôõáêÞ ôïðïèåóßá ôïõ ðñïãñÜììáôïò
ãéá ðåñéóóüôåñåò ðëçñïöïñßåò: <ulink
url="http://jodies.de/ipcalc"></ulink>.</para>
</sect3>
<sect3>
<title>PORT</title>
<para>Ôï ôáßñéáóìá ìå êÜðïéá óõãêåêñéìÝíç èýñá áöåôçñßáò Þ/êáé
ðñïïñéóìïý (áí õðÜñ÷åé) åöáñìüæåôáé ìüíï óå ðáêÝôá
<acronym>TCP</acronym> êáé <acronym>UDP</acronym>. ÊáôÜ ôçí
äçìéïõñãßá óõãêñßóåùí ìå èýñåò, ìðïñåßôå åßôå íá ÷ñçóéìïðïéÞóåôå ôïí
áñéèìü ôçò èýñáò, åßôå ôï üíïìá ôçò áíôßóôïé÷çò õðçñåóßáò
áðü ôï áñ÷åßï <filename>/etc/services</filename>. ¼ôáí ç èýñá
åìöáíßæåôáé ùò ôìÞìá ôïõ áíôéêåéìÝíïõ <literal>from</literal>, ôï
ôáßñéáóìá èá ãßíåé ìå ôçí èýñá ôçò áöåôçñßáò. ¼ôáí åìöáíßæåôáé ùò
ôìÞìá ôïõ áíôéêåéìÝíïõ <literal>to</literal>, ôï ôáßñéáóìá èá ãßíåé
ìå ôç èýñá ðñïïñéóìïý. Ãéá íá ëåéôïõñãåß ç óýã÷ñïíç ëïãéêÞ
ôáéñéÜóìáôïò êáíüíùí, èá ðñÝðåé ïðùóäÞðïôå íá õðÜñ÷åé ç åðéëïãÞ
èýñáò óôï áíôéêåßìåíï <literal>to</literal>. ÐáñÜäåéãìá ÷ñÞóçò:
<literal>from any to any port = 80</literal></para>
<!-- XXX: ÌÜëëïí èÝëåé êáé Üëëåò äéïñèþóåéò -->
<para>Ïé óõãêñßóåéò ðïõ áíáöÝñïíôáé óå ìéá ìüíï èýñá, ìðïñïýí íá
ãßíïõí ìå ðïëëïýò äéáöïñåôéêïýò ôñüðïõò, ÷ñçóéìïðïéþíôáò
äéáöïñåôéêïýò ôåëåóôÝò óýãêñéóçò. Åßíáé åðßóçò äõíáôüí íá
êáèïñéóôïýí ïëüêëçñåò ðåñéï÷Ýò áðü èýñåò.</para>
<para>port "=" | "!=" | "<" | ">" | "<=" | ">=" |
"eq" | "ne" | "lt" | "gt" | "le" | "ge".</para>
<para>Ãéá íá êáèïñßóåôå ðåñéï÷Ýò èõñþí, ÷ñçóéìïðïéÞóôå
port "<>" | "><"</para>
<warning>
<para>ÌåôÜ ôéò ðáñáìÝôñïõò ãéá ôï ôáßñéáóìá ôçò áöåôçñßáò êáé ôïõ
ðñïïñéóìïý, ïé ðáñáêÜôù äýï ðáñÜìåôñïé åßíáé õðï÷ñåùôéêÝò ãéá íá
ëåéôïõñãåß ç óýã÷ñïíç ëïãéêÞ åðåîåñãáóßáò ôùí êáíüíùí.</para>
</warning>
</sect3>
<sect3>
<title><acronym>TCP</acronym>_FLAG</title>
<para>Ôá flags åßíáé åíåñãÜ ìüíï óôï öéëôñÜñéóìá ôïõ ðñùôïêüëëïõ
<acronym>TCP</acronym>. Ôï êÜèå ãñÜììá áíôéðñïóùðåýåé Ýíá ðéèáíü
flag ôï ãéá ôï ïðïßï ãßíåôáé áíß÷íåõóç óôçí åðéêåöáëßäá ôïõ ðáêÝôïõ
<acronym>TCP</acronym>.</para>
<para>Ç óýã÷ñïíç ëïãéêÞ åðåîåñãáóßáò ôùí êáíüíùí, ÷ñçóéìïðïéåß ôçí
ðáñÜìåôñï <literal>flags S</literal> ãéá ôçí áíáãíþñéóç ôçò Ýíáñîçò
ìéá óõíåäñßáò tcp.</para>
</sect3>
<sect3>
<title>STATEFUL</title>
<para>Óå Ýíá êáíüíá ðïõ åðéôñÝðåé (pass) ôï ðÝñáóìá ôùí ðáêÝôùí, ç
åðéëïãÞ <literal>keep state</literal> äåß÷íåé üôé èá ðñÝðåé íá
åíåñãïðïéåßôáé ç ëåéôïõñãßá stateful filtering üôáí ôï ðáêÝôï
ôáéñéÜæåé ìå ôá êñéôÞñéá åðéëïãÞò.</para>
<note>
<para>Ç åðéëïãÞ áõôÞ åßíáé õðï÷ñåùôéêÞ ãéá ôç ëåéôïõñãßá ôçò
óýã÷ñïíçò ëïãéêÞò åðåîåñãáóßáò êáíüíùí.</para>
</note>
</sect3>
</sect2>
<sect2>
<title>ÖéëôñÜñéóìá ìå ÄéáôÞñçóç ôçò ÊáôÜóôáóçò (stateful)</title>
<indexterm>
<primary>IPFILTER</primary>
<secondary>stateful filtering</secondary>
</indexterm>
<!-- XXX: duplicated -->
<para>Ôï stateful öéëôñÜñéóìá, áíôéìåôùðßæåé ôçí êßíçóç ôïõ äéêôýïõ ùò
ìéáò äéðëÞò êáôåýèõíóçò áíôáëëáãÞ ðáêÝôùí ôá ïðïßá äçìéïõñãïýí ìéá
óõíåäñßá. ¼ôáí åíåñãïðïéçèåß, ç äéáôÞñçóç ôçò êáôÜóôáóçò
(keep-state) äçìéïõñãåß äõíáìéêÜ åóùôåñéêïýò êáíüíåò ãéá êÜèå ðáêÝôï
ôï ïðïßï áíôáëëÜóóåôáé êáôÜ ôç äéÜñêåéá áõôÞò ôçò óõíåäñßáò.
¸÷åé åðßóçò ôç äõíáôüôçôá íá äéåñåõíÞóåé áí áêïëïõèïýíôáé ïé Ýãêõñïé
êáíüíåò áíôáëëáãÞò ìçíõìÜôùí ìåôáîý ôïõ áðïóôïëÝá êáé ôïõ ðáñáëÞðôç.
ÏðïéáäÞðïôå ðáêÝôá äåí ôáéñéÜæïõí ìå ôï ðñüôõðï áõôÞò ôçò
åðéêïéíùíßáò, áðïññßðôïíôáé ùò øåýôéêá.</para>
<para>Ç äéáôÞñçóç ôçò êáôÜóôáóçò åðéôñÝðåé åðßóçò íá ðåñÜóïõí ôá
ðáêÝôá <acronym>ICMP</acronym> ðïõ ó÷åôßæïíôáé ìå ìéá óõíåäñßá
<acronym>TCP</acronym> Þ <acronym>UDP</acronym>. ¸ôóé, áí ëçöèïýí
ðáêÝôá <acronym>ICMP</acronym> ôýðïõ 3 code 4 ùò áðÜíôçóç êáôÜ ôç
äéÜñêåéá ôçò åðßóêåøçò óáò óå ìéá éóôïóåëßäá, (ç ïðïßá åðéôñÝðåôáé
áðü ôïí áíôßóôïé÷ï êáíüíá åîåñ÷ïìÝíùí), èá ôïõò åðéôñáðåß ç åßóïäïò.
ÏðïéïäÞðïôå ðáêÝôï ãéá ôï ïðïßï ôï IPF åßíáé óßãïõñï üôé ðñüêåéôáé
ãéá ôìÞìá ìéáò åíåñãÞò óõíåäñßáò, èá ðåñÜóåé áêüìá êáé áí åßíáé
äéáöïñåôéêü ðñùôüêïëëï.</para>
<para>Áõôü ðïõ óõìâáßíåé åßíáé ôï ðáñáêÜôù:</para>
<para>Ôá ðáêÝôá ðïõ ðñïïñßæïíôáé íá åîÝëèïõí ìÝóù ôçò äéåðáöÞò ðïõ
óõíäÝåôáé óôï Internet, åëÝã÷ïíôáé áñ÷éêÜ óýìöùíá ìå ôï äõíáìéêü
ðßíáêá êáôáóôÜóåùí. Áí ôï ðáêÝôï ôáéñéÜæåé ìå ôï åðüìåíï ðïõ
áíáìÝíåôáé óå ìéá åíåñãÞ óõíåäñßá, åîÝñ÷åôáé áðü ôï firewall êáé
ôáõôü÷ñïíá åíçìåñþíåôáé ç êáôÜóôáóç ôçò óõãêåêñéìÝíçò óõíåäñßáò óôïí
ðáñáðÜíù äõíáìéêü ðßíáêá. Ôá õðüëïéðá ðáêÝôá (ðïõ äåí ôáéñéÜæïõí ìå
êÜðïéá óõíåäñßá óå åîÝëéîç) åëÝã÷ïíôáé óýìöùíá ìå ôï óýíïëï êáíüíùí
ãéá ôá åîåñ÷üìåíá ðáêÝôá.</para>
<para>Ôá ðáêÝôá ðïõ Ýñ÷ïíôáé áðü ôç äéåðáöÞ ðïõ åßíáé óõíäåìÝíç ìå ôï
Internet, åëÝã÷ïíôáé áñ÷éêÜ ìÝóù ôïõ äõíáìéêïý ðßíáêá êáôáóôÜóåùí.
Áí ôï ðáêÝôï ôáéñéÜæåé ìå ôï åðüìåíï ðïõ áíáìÝíåôáé óå ìéá åíåñãÞ
óõíåäñßá, åîÝñ÷åôáé áðü ôï firewall êáé ôáõôü÷ñïíá åíçìåñþíåôáé
ç êáôÜóôáóç ôçò óõãêåêñéìÝíçò óõíåäñßáò óôïí ðáñáðÜíù ðßíáêá. Ôá
õðüëïéðá ðáêÝôá (ðïõ äåí ôáéñéÜæïõí ìå êÜðïéá óõíåäñßá óå åîÝëéîç)
åëÝã÷ïíôáé óýìöùíá ìå ôï óýíïëï êáíüíùí ãéá ôá åéóåñ÷üìåíá
ðáêÝôá.</para>
<para>¼ôáí ç åðéêïéíùíßá ïëïêëçñùèåß, äéáãñÜöåôáé áðü ôïí äõíáìéêü
ðßíáêá êáôáóôÜóåùí.</para>
<para>Ôï stateful öéëôñÜñéóìá åðéôñÝðåé íá åóôéÜóïõìå ôçí ðñïóï÷Þ ìáò
óôçí áðïäï÷Þ Þ áðüññéøç ôùí íÝùí óõíäÝóåùí. Áí åðéôñáðåß ìéá íÝá
óõíåäñßá, üëá ôá õðüëïéðá ðáêÝôá ôçò èá åðéôñÝðïíôáé áõôüìáôá, åíþ
ôõ÷üí øåýôéêá ðáêÝôá èá áðïññßðôïíôáé åðßóçò áõôüìáôá. Ôï stateful
öéëôñÜñéóìá äéáèÝôåé ìéá óåéñÜ áðü ðñï÷ùñçìÝíåò éêáíüôçôåò äéåñåýíçóçò
ôùí ðáêÝôùí, ìå äõíáôüôçôá íá áìýíåôáé óå ðïëëÝò äéáöïñåôéêÝò
ìåèüäïõò ðïõ ÷ñçóéìïðïéïýí ïé åðéôéèÝìåíïé.</para>
</sect2>
<sect2>
<!-- XXX: This section needs a rewrite -->
<title>ÐáñÜäåéãìá Óõíüëïõ Êáíüíùí ãéá Ýíá Inclusive Firewall</title>
<para>Ôï ðáñáêÜôù óýíïëï êáíüíùí äßíåôáé ùò ðáñÜäåéãìá ãéá
íá öôéÜîåôå Ýíá éäéáßôåñá áóöáëÝò inclusive firewall. ¸íá inclusive
firewall åðéôñÝðåé ôï ðÝñáóìá ìüíï ôùí õðçñåóéþí ðïõ ôáéñéÜæïõí ìå
ôïõò êáíüíåò ðïõ Ý÷åé ãéá áðïäï÷Þ ðáêÝôùí, êáé áðïññßðôåé üëá ôá
õðüëïéðá. Ôá firewalls ðïõ ðñïóôáôåýïõí Üëëá ìç÷áíÞìáôá (ôá ïðïßá
êáëïýíôáé êáé <quote>network firewalls</quote>) èá ðñÝðåé íá äéáèÝôïõí
ôïõëÜ÷éóôïí äýï äéåðáöÝò. Ç ìéá äéåðáöÞ óõíäÝåôáé ìå ôï ôïðéêü äßêôõï
(<acronym>LAN</acronym>) ôï ïðïßï èåùñåßôáé Ýìðéóôï, êáé ç Üëëç ìå
ôï äçìüóéï Internet. ÅíáëëáêôéêÜ, Ýíá firewall ìðïñåß íá
ðñïóôáôåýåé ìüíï ôï óýóôçìá óôï ïðïßï åêôåëåßôáé—áõôü êáëåßôáé
<quote>host based firewall</quote> êáé åßíáé êáôÜëëçëï éäéáßôåñá
ãéá åîõðçñåôçôÝò ðïõ ëåéôïõñãïýí óå ìç Ýìðéóôá äßêôõá.</para>
<para>¼ëá ôá óõóôÞìáôá ôýðïõ &unix;, óõìðåñéëáìâáíïìÝíïõ êáé ôïõ &os;,
Ý÷ïõí ó÷åäéáóôåß íá ÷ñçóéìïðïéïýí ôçí äéåðáöÞ
<devicename>lo0</devicename> êáé ôçí IP äéåýèõíóç
<hostid role="ipaddr">127.0.0.1</hostid> ãéá åóùôåñéêÞ åðéêïéíùíßá
ìÝóá óôï ßäéï ôï ëåéôïõñãéêü óýóôçìá. Ôï firewall ðñÝðåé íá ðåñéÝ÷åé
êáíüíåò ðïõ íá åðéôñÝðïõí ôçí åëåýèåñç êáé ÷ùñßò ðåñéïñéóìïýò êßíçóç
ôùí åéäéêþí áõôþí åóùôåñéêþí ðáêÝôùí.</para>
<para>Ïé êáíüíåò ðïõ åîïõóéïäïôïýí ôçí ðñüóâáóç ðñïò ôï Internet,
ïñßæïíôáé óôçí äéåðáöÞ ôïõ äéêôýïõ ðïõ óõíäÝåôáé óå áõôü. Ïé êáíüíåò
áõôïß åëÝã÷ïõí ôüóï ôçí åéóåñ÷üìåíç üóï êáé ôçí åîåñ÷üìåíç êßíçóç
óôï Internet. Ç äéåðáöÞ áõôÞ ìðïñåß íá åßíáé ç
<devicename>tun0</devicename> ðïõ ÷ñçóéìïðïéåßôáé óôï PPP ÷ñÞóôç, Þ
áêüìá êáé ç êÜñôá äéêôýïõ ðïõ óõíäÝåôáé óå Ýíá DSL router Þ
modem.</para>
<para>Óå ðåñßðôùóç ðïõ ìéá Þ ðåñéóóüôåñåò êÜñôåò äéêôýïõ óõíäÝïíôáé óå
åóùôåñéêÜ éäéùôéêÜ äßêôõá ðßóù áðü ôï firewall, èá ðñÝðåé íá õðÜñ÷ïõí
ïé áíôßóôïé÷ïé êáíüíåò ðïõ íá åðéôñÝðïõí ôçí åëåýèåñç äéáêßíçóç ôùí
ðáêÝôùí áíÜìåóá óôéò äéåðáöÝò áõôÝò Þ/êáé óôï Internet.</para>
<para>Ïé êáíüíåò ðñÝðåé íá ïñãáíþíïíôáé óå ôñåéò êýñéåò åíüôçôåò: áñ÷éêÜ
üëåò ïé äéåðáöÝò óôéò ïðïßåò åðéôñÝðåôáé ç åëåýèåñç äéáêßíçóç
äåäïìÝíùí, Ýðåéôá ç äéåðáöÞ áðü ôçí ïðïßá åîÝñ÷ïíôáé ôá ðáêÝôá ðñïò
ôï äçìüóéï äßêôõï (Internet) êáé ôÝëïò ç äéåðáöÞ áðü ôçí ïðïßá
ëáìâÜíïíôáé ðáêÝôá áðü ôï Internet.</para>
<para>Óå êÜèå ìéá áðü ôéò åíüôçôåò ôùí äéåðáöþí ðïõ
óõíäÝïíôáé óôï Internet, ðñÝðåé íá ôïðïèåôïýíôáé ðñþôïé ïé êáíüíåò
ðïõ ôáéñéÜæïõí óõ÷íüôåñá ìå ôçí áíôßóôïé÷ç êßíçóç. Ï ôåëåõôáßïò
êáíüíáò ôçò åíüôçôáò èá ðñÝðåé íá áðïññßðôåé êáé íá êáôáãñÜöåé üëá ôá
ðáêÝôá ôçò óõãêåêñéìÝíçò äéåðáöÞò/êáôåýèõíóçò.</para>
<para>Ç åíüôçôá ôùí Åîåñ÷ïìÝíùí (Outbound) óôï áêüëïõèï óýíïëï êáíüíùí,
ðåñéÝ÷åé ìüíï êáíüíåò ôýðïõ <literal>pass</literal> ïé ïðïßïé
åðéôñÝðïõí (ìÝóù êáôÜëëçëùí ôéìþí óôéò ðáñáìÝôñïõò ôïõò) óå
óõãêåêñéìÝíåò õðçñåóßåò íá áðïêôÞóïõí ðñüóâáóç óôï Internet. ¼ëïé ïé
êáíüíåò äéáèÝôïõí ôéò åðéëïãÝò <literal>quick</literal>,
<literal>on</literal>, <literal>proto</literal>,
<literal>port</literal> êáé <literal>keep state</literal>. Ïé êáíüíåò
<literal>proto tcp</literal> ðåñéëáìâÜíïõí ôçí åðéëïãÞ
<literal>flag</literal> þóôå íá áíáãíùñßæïõí ôçí áßôçóç Ýíáñîçò ôçò
óõíåäñßáò êáé íá åíåñãïðïéïýí ôç ëåéôïõñãßá äéáôÞñçóçò ôçò
êáôÜóôáóçò (stateful).</para>
<para>Óôçí åíüôçôá ôùí åéóåñ÷üìåíùí ðáêÝôùí (Inbound) ðïõ öáßíåôáé
ðáñáêÜôù, ðñþôïé åìöáíßæïíôáé ïé êáíüíåò ðïõ ÷ñçóéìïðïéïýíôáé ãéá ôçí
áðüññéøç ôùí áíåðéèýìçôùí ðáêÝôùí. Áõôü ãßíåôáé ãéá äýï äéáöïñåôéêïýò
ëüãïõò. Ï ðñþôïò åßíáé üôé ôá êáêüâïõëá ðáêÝôá ìðïñåß åí ìÝñåé íá
ôáéñéÜæïõí ìå êÜðïéá ÷áñáêôçñéóôéêÜ ôçò Ýãêõñçò êßíçóçò. Ôá ðáêÝôá
áõôÜ èá ðñÝðåé íá áðïññéöèïýí, áíôß íá ãßíïõí äåêôÜ áðü êÜðïéï
åðüìåíï êáíüíá <literal>allow</literal>. Ï äåýôåñïò åßíáé üôé
ìðïñåßôå íá áðïññßøåôå óõãêåêñéìÝíá ðáêÝôá ôá ïðïßá ãíùñßæåôå üôé äåí
åßíáé Ýãêõñá, áëëÜ óáò åßíáé áäéÜöïñç ç êáôáãñáöÞ ôïõò. Ìå ôïí ôñüðï
áõôü åìðïäßæåôáé ç ëÞøç êáé êáôáãñáöÞ ôïõò áðü ôïí ôåëåõôáßï êáíüíá.
Ï ôåëåõôáßïò êáíüíáò ôõðéêÜ áðïññßðôåé êáé êáôáãñÜöåé üëá ôá ðáêÝôá
ðïõ Ýöôáóáí ìÝ÷ñé áõôüí. Ï êáíüíáò áõôüò ÷ñçóéìïðïéåßôáé ãéá ôçí
ðáñï÷Þ íïìéêþí áðïäåßîåùí óå ðåñßðôùóç ðïõ êéíÞóåôå äéêáóôéêÞ
äéáäéêáóßá êáôÜ áôüìùí ðïõ ðñïÝâçóáí óå åðéèÝóåéò óôï óýóôçìá
óáò.</para>
<para>Èá ðñÝðåé åðßóçò íá åîáóöáëßóåôå üôé ôï óýóôçìá óáò äåí èá äþóåé
êáìéÜ áðÜíôçóç óå êáíÝíá áðü ôá áíåðéèýìçôá ðáêÝôá. Ôá ðáêÝôá áõôÜ
èá ðñÝðåé íá áðïññéöèïýí êáé íá åîáöáíéóôïýí. Ìå ôïí ôñüðï áõôü, ï
åðéôéèÝìåíïò äåí Ý÷åé êáìéÜ ãíþóç áí ôá ðáêÝôá ôïõ Ýöôáóáí ìÝ÷ñé ôï
óýóôçìá óáò. ¼óï ëéãüôåñá ìðïñïýí íá ìÜèïõí ïé åðéôéèÝìåíïé ó÷åôéêÜ
ìå ôï óýóôçìá óáò, ôüóï ðåñéóóüôåñï ÷ñüíï èá ÷ñåéáóôåß íá åðåíäýóïõí
ãéá íá êáôáöÝñïõí íá óáò âëÜøïõí óôá áëÞèåéá. Ïé êáíüíåò ìå ôçí
åðéëïãÞ <literal>log first</literal> êáôáãñÜöïõí ôï óõìâÜí ìüíï ôçí
ðñþôç öïñÜ ðïõ åíåñãïðïéïýíôáé. Ç åðéëïãÞ áõôÞ ðåñéëáìâÜíåôáé óôïí
êáíüíá <literal>nmap OS fingerprint</literal> óôï ðáñÜäåéãìá ðïõ
öáßíåôáé ðáñáêÜôù. Ôï âïçèçôéêü ðñüãñáììá <filename
role="package">security/nmap</filename> ÷ñçóéìïðïéåßôáé óõ÷íÜ
áðü êáêüâïõëá Üôïìá, ðïõ ðñïóðáèïýí ìå áõôü ôïí ôñüðï íá
áíáãíùñßóïõí ôï ëåéôïõñãéêü óýóôçìá ôïõ ìç÷áíÞìáôïò óáò.</para>
<para>ÊÜèå öïñÜ ðïõ õðÜñ÷åé êáôáãñáöÞ áðü êÜðïéï êáíüíá ìå ôçí åðéëïãÞ
<literal>log first</literal>, èá ðñÝðåé íá åêôåëÝóåôå ôçí åíôïëÞ
<command>ipfstat -hio</command> ãéá íá äåßôå ðüóåò öïñÝò Ý÷åé
åíåñãïðïéçèåß áõôüò ï êáíüíáò óõíïëéêÜ. ¸ôóé èá îÝñåôå áí ð.÷. óáò
êÜíïõí åðßèåóç õðåñ÷åßëéóçò (flood).</para>
<para>Äåßôå ôï áñ÷åßï <filename>/etc/services</filename> ãéá íá âñåßôå
áñéèìïýò èõñþí ðïõ äåí áíáãíùñßæåôå. Ìðïñåßôå åðßóçò íá åðéóêåöèåßôå
ôçí ôïðïèåóßá <ulink
url="http://www.securitystats.com/tools/portsearch.php"></ulink>
êáé íá êÜíåôå áíáæÞôçóç ãéá ôç óõãêåêñéìÝíç èýñá, þóôå íá äåßôå ðïéá
õðçñåóßá åîõðçñåôåß.</para>
<para>Äåßôå ôçí åðüìåíç ôïðïèåóßá ãéá ôéò èýñåò ðïõ ÷ñçóéìïðïéïýíôáé
óõíÞèùò áðü êáêüâïõëá ðñïãñÜììáôá (trojans): <ulink
url="http://www.simovits.com/trojans/trojans.html"></ulink>.</para>
<para>Ôï ðáñáêÜôù óýíïëï êáíüíùí åßíáé áñêåôÜ ðëÞñåò êáé ðïëý áóöáëÝò.
Äçìéïõñãåß firewall ôýðïõ <literal>inclusive</literal>, êáé Ý÷åé
äïêéìáóôåß óå ðñáãìáôéêÝò óõíèÞêåò ëåéôïõñãßáò. Ìðïñåß íá
åîõðçñåôÞóåé ôï ßäéï êáëÜ êáé ôï äéêü óáò óýóôçìá. Áðëþò ìåôáôñÝøôå
óå ó÷üëéï ôïõò êáíüíåò ãéá ôéò õðçñåóßåò ðïõ äåí èÝëåôå íá
åíåñãïðïéÞóåôå.</para>
<para>Ãéá íá áðïöýãåôå ôçí êáôáãñáöÞ áíåðéèýìçôùí ìçíõìÜôùí,
áðëþò ðñïóèÝóôå Ýíá áíôßóôïé÷ï êáíüíá áðüññéøçò
(<literal>block</literal>) óôçí åíüôçôá ôùí åéóåñ÷ïìÝíùí
(inbound).</para>
<para>Èá ðñÝðåé íá áëëÜîåôå ôï üíïìá ôçò äéåðáöÞò
<devicename>dc0</devicename> ôïõ ðáñáäåßãìáôïò, ìå ôï ðñáãìáôéêü üíïìá
ôçò êÜñôáò äéêôýïõ ðïõ óõíäÝåé ôï óýóôçìá óáò ìå ôï Internet. Ãéá
üóïõò ÷ñçóéìïðïéïýí ôï PPP ÷ñÞóôç, ôï üíïìá èá åßíáé
<devicename>tun0</devicename>.</para>
<para>ÐñïóèÝóôå ôéò áêüëïõèåò êáôá÷ùñßóåéò óôï áñ÷åßï
<filename>/etc/ipf.rules</filename>:</para>
<programlisting>#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################
#pass out quick on xl0 all
#pass in quick on xl0 all
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Interface facing Public Internet (Outbound Section)
# Match session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
pass out quick on dc0 proto udp from any to xxx port = 53 keep state
# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on dc0 proto udp from any to any port = 67 keep state
#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
# Allow out non-secure standard www function
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow out secure www function https over TLS SSL
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
# Allow out send & get email function
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
# Allow out Time
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
# Allow out nntp news
pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
# This function is using SSH (secure shell)
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Allow out insecure Telnet
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow out FreeBSD CVSup function
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
# Allow out ping to public Internet
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
# Allow out whois from LAN to public Internet
pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule implements the default block
block out log first quick on dc0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Match packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on dc0 from 127.0.0.0/8 to any #loopback
block in quick on dc0 from 0.0.0.0/8 to any #loopback
block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs
block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast
##### Block a bunch of different nasty things. ############
# That I do not want to see in the log
# Block frags
block in quick on dc0 all with frags
# Block short tcp packets
block in quick on dc0 proto tcp all with short
# block source routed packets
block in quick on dc0 all with opt lsrr
block in quick on dc0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on dc0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on dc0 all with ipopts
# Block public pings
block in quick on dc0 proto icmp all icmp-type 8
# Block ident
block in quick on dc0 proto tcp from any to any port = 113
# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on dc0 proto tcp/udp from any to any port = 137
block in log first quick on dc0 proto tcp/udp from any to any port = 138
block in log first quick on dc0 proto tcp/udp from any to any port = 139
block in log first quick on dc0 proto tcp/udp from any to any port = 81
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
# Allow in standard www function because I have apache server
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence avoids filling up disk with Denial of Service logs.
# This rule implements the default block.
block in log first quick on dc0 all
################### End of rules file #####################################</programlisting>
</sect2>
<sect2>
<title><acronym>NAT</acronym></title>
<indexterm><primary>NAT</primary></indexterm>
<indexterm>
<primary>IP masquerading</primary>
<see>NAT</see>
</indexterm>
<indexterm>
<primary>network address translation</primary>
<see>NAT</see>
</indexterm>
<para>Ôï <acronym>NAT</acronym> åßíáé áêñùíýìéï ôùí ëÝîåùí
<emphasis>Network Address Translation</emphasis> Þ ÌåôÜöñáóç
Äéåõèýíóåùí Äéêôýïõ. Ãéá üóïõò åßíáé åîïéêåéùìÝíïé ìå ôï &linux;,
âáóßæåôáé óôçí áñ÷Þ ôïõ IP Masquerading. Óôçí ðñáãìáôéêüôçôá ôï
<acronym>NAT</acronym> êáé ôï IP Masquerading åßíáé ôï ßäéï ðñÜãìá.
Ìéá áðü ôéò ðïëëÝò äõíáôüôçôåò ðïõ ðáñÝ÷åé ç ëåéôïõñãßá
<acronym>NAT</acronym> ôïõ IPF, åßíáé êáé ç äõíáôüôçôá íá Ý÷ïõìå Ýíá
éäéùôéêü ôïðéêü äßêôõï (LAN) ðßóù áðü ôï firewall ôï ïðïßï íá
ìïéñÜæåôáé ìéá ìïíáäéêÞ äçìüóéá äéåýèõíóç IP óôï Internet.</para>
<para>ºóùò íá áíáñùôçèåßôå ãéáôß íá èÝëåé êÜðïéïò íá ôï êÜíåé áõôü.
Ïé ISPs óõíÞèùò áðïäßäïõí äõíáìéêÝò äéåõèýíóåéò óå ìç åôáéñéêïýò
ðåëÜôåò. Áõôü ïõóéáóôéêÜ óçìáßíåé üôé ç äéåýèõíóç IP ðïõ
áðïäßäåôáé óôï ìç÷Üíçìá óáò, ìðïñåß íá åßíáé äéáöïñåôéêÞ êÜèå öïñÜ
ðïõ êÜíåôå êëÞóç ãéá íá óõíäåèåßôå. Ãéá ôïõò ÷ñÞóôåò DSL modem êáé
router, ç áëëáãÞ äéåýèõíóçò ðñáãìáôïðïéåßôáé êÜèå öïñÜ ðïõ
åíåñãïðïéåßôáé ôï modem. Ç äéåýèõíóç IP ðïõ óáò áðïäßäåôáé áðü
ôïí ISP óáò, åßíáé áõôÞ ìå ôçí ïðïßá öáßíåóôå óôï Internet.</para>
<para>Áò õðïèÝóïõìå ôþñá üôé Ý÷åôå ðÝíôå PC óôï óðßôé óáò, êáé
÷ñåéÜæåóôå óå üëá óýíäåóç Internet. ÊáíïíéêÜ, èá Ýðñåðå íá ðëçñþóåôå
ôïí ISP óáò ÷ùñéóôü ëïãáñéáóìü ãéá êÜèå PC êáé íá äéáèÝôåôå ðÝíôå
ãñáììÝò ôçëåöþíïõ.</para>
<para>Ìå ôï <acronym>NAT</acronym>, ÷ñåéÜæåóôå ìüíï Ýíá ëïãáñéáóìü ìå
ôïí ISP óáò. Ìðïñåßôå áðëþò íá óõíäÝóåôå ôá ôÝóóåñá PC óå Ýíá
äéáíïìÝá Þ switch óôï ïðïßï èá óõíäÝóåôå åðßóçò êáé ôï &os; ìç÷Üíçìá
óáò. Ôï ìç÷Üíçìá áõôü èá åíåñãåß ùò ðýëç ôïõ ôïðéêïý óáò äéêôýïõ ãéá
ôï Internet. Ôï <acronym>NAT</acronym> èá ìåôáöñÜóåé áõôüìáôá ôéò
éäéùôéêÝò äéåõèýíóåéò IP ôïõ êÜèå ìç÷áíÞìáôïò óôçí ìïíáäéêÞ äçìüóéá
IP äéåýèõíóç ðïõ Ý÷åôå, êáèþò ôï ðáêÝôï öåýãåé áðü ôï firewall êáé
êáôåõèýíåôáé ðñïò ôï Internet. Åêôåëåß åðßóçò êáé ôçí áíôßóôñïöç
ìåôÜöñáóç ãéá ôá ðáêÝôá ðïõ åðéóôñÝöïõí.</para>
<para>ÕðÜñ÷åé ìéá åéäéêÞ ðåñéï÷Þ äéåõèýíóåùí IP ðïõ Ý÷ïõí ðáñá÷ùñçèåß
ãéá ÷ñÞóç óå ôïðéêÜ äßêôõá ìå <acronym>NAT</acronym>. Óýìöùíá ìå ôï
RFC 1918, ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ãéá áõôü ôï óêïðü ôéò ðáñáêÜôù
ðåñéï÷Ýò, ïé ïðïßåò äåí äñïìïëïãïýíôáé ðïôÝ áðåõèåßáò óôï äçìüóéï
Internet:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
<colspec colwidth="1*"/>
<colspec colwidth="1*"/>
<colspec colwidth="1*"/>
<tbody>
<row>
<entry>Áñ÷éêü IP <hostid role="ipaddr">10.0.0.0</hostid></entry>
<entry>-</entry>
<entry>Ôåëéêü IP <hostid role="ipaddr">10.255.255.255</hostid></entry>
</row>
<row>
<entry>Áñ÷éêü IP <hostid role="ipaddr">172.16.0.0</hostid></entry>
<entry>-</entry>
<entry>Ôåëéêü IP <hostid role="ipaddr">172.31.255.255</hostid></entry>
</row>
<row>
<entry>Áñ÷éêü IP <hostid role="ipaddr">192.168.0.0</hostid></entry>
<entry>-</entry>
<entry>Ôåëéêü IP <hostid role="ipaddr">192.168.255.255</hostid></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</sect2>
<sect2>
<title>IP<acronym>NAT</acronym></title>
<indexterm>
<primary>NAT</primary>
<secondary>and IPFILTER</secondary>
</indexterm>
<indexterm><primary><command>ipnat</command></primary></indexterm>
<para>Ïé êáíüíåò ôïõ <acronym>NAT</acronym> öïñôþíïíôáé ìå ôç ÷ñÞóç ôçò
åíôïëÞò <command>ipnat</command>. ÔõðéêÜ, ïé êáíüíåò ôïõ
<acronym>NAT</acronym> áðïèçêåýïíôáé óôï áñ÷åßï
<filename>/etc/ipnat.rules</filename>. Äåßôå ôç óåëßäá manual ôïõ
&man.ipnat.1; ãéá ëåðôïìÝñåéåò.</para>
<para>Ãéá íá áëëÜîåôå ôïõò êáíüíåò ôïõ <acronym>NAT</acronym> êáèþò áõôü
åêôåëåßôáé, ôñïðïðïéÞóôå ôï áñ÷åßï ðïõ ôïõò ðåñéÝ÷åé, êáé åêôåëÝóôå
ôçí åíôïëÞ <command>ipnat</command> ìå ôçí ðáñÜìåôñï
<option>-CF</option> ãéá íá äéáãñÜøåôå ôïõò åóùôåñéêïýò êáíüíåò ôïõ
<acronym>NAT</acronym> êáé íá áäåéÜóåôå üëåò ôéò åíåñãÝò êáôá÷ùñßóåéò
ôïõ ðßíáêá ìåôáöñÜóåùí.</para>
<para>Ãéá íá öïñôþóåôå ôïõò êáíüíåò ôïõ <acronym>NAT</acronym> áðü ôçí
áñ÷Þ, åêôåëÝóôå ìéá åíôïëÞ üðùò ôçí ðáñáêÜôù:</para>
<screen>&prompt.root; <userinput>ipnat -CF -f /etc/ipnat.rules</userinput></screen>
<para>Ãéá íá äåßôå êÜðïéá óôáôéóôéêÜ ó÷åôéêÜ ìå ôï
<acronym>NAT</acronym>, ÷ñçóéìïðïéÞóôå ôçí ðáñáêÜôù åíôïëÞ:</para>
<screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
<para>Ãéá íá äåßôå ìéá ëßóôá ìå ôéò ôñÝ÷ïõóåò êáôá÷ùñßóåéò ôïõ ðßíáêá
<acronym>NAT</acronym>, ÷ñçóéìïðïéÞóôå ôçí ðáñáêÜôù åíôïëÞ:</para>
<screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
<para>Ãéá íá åíåñãïðïéÞóåôå ôçí ëåðôïìåñÞ áðåéêüíéóç ìçíõìÜôùí êáé íá
äåßôå ðëçñïöïñßåò ðïõ ó÷åôßæïíôáé ìå ôçí åðåîåñãáóßá ôùí êáíüíùí êáé
ôïõò åíåñãïýò êáíüíåò êáé êáôá÷ùñßóåéò óôïí ðßíáêá, ãñÜøôå:</para>
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
</sect2>
<sect2>
<title>Êáíüíåò ôïõ IP<acronym>NAT</acronym></title>
<para>Ïé êáíüíåò ôïõ <acronym>NAT</acronym> åßíáé áñêåôÜ åõÝëéêôïé,
êáé äéáèÝôïõí ðëÞèïò äõíáôïôÞôùí þóôå íá êáëýðôïõí ôéò áíÜãêåò
ôùí ïéêéáêþí áëëÜ êáé ôùí åðé÷åéñçóéáêþí ÷ñçóôþí.</para>
<para>Ç óýíôáîç ôùí êáíüíùí ðïõ ðáñïõóéÜæåôáé åäþ, Ý÷åé áðëïðïéçèåß
þóôå íá óõìâáäßæåé ìå ôç óõíÞèç ÷ñÞóç óå ìç-åìðïñéêÜ ðåñéâÜëëïíôá.
Ãéá ðéï ðëÞñç ðåñéãñáöÞ ôçò óýíôáîçò, äåßôå ôç óåëßäá manual ôïõ
&man.ipnat.5;.</para>
<para>Ç óýíôáîç åíüò êáíüíá <acronym>NAT</acronym> ìïéÜæåé ìå ôçí
ðáñáêÜôù:</para>
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
<para>Ï êáíüíáò îåêéíÜåé ìå ôç ëÝîç <literal>map</literal>.</para>
<para>ÁíôéêáôáóôÞóôå ôï <replaceable>IF</replaceable> ìå ôçí åîùôåñéêÞ
äéåðáöÞ (ôç êÜñôá äéêôýïõ ðïõ óõíäÝåôáé óôï Internet).</para>
<para>Ç ðáñÜìåôñïò <replaceable>LAN_IP_RANGE</replaceable> åßíáé ç
ðåñéï÷Þ äéåõèýíóåùí ðïõ ÷ñçóéìïðïéåßôáé áðü ôï åóùôåñéêü óáò äßêôõï.
Óôçí ðñáãìáôéêüôçôá èá ìïéÜæåé ìå êÜôé óáí ôï <hostid
role="ipaddr">192.168.1.0/24</hostid>.</para>
<para>Ç ðáñÜìåôñïò <replaceable>PUBLIC_ADDRESS</replaceable> ìðïñåß íá
åßíáé åßôå ç åîùôåñéêÞ IP äéåýèõíóç, åßôå ç åéäéêÞ ëÝîç
<literal>0/32</literal>, ç ïðïßá óçìáßíåé üôé èá ÷ñçóéìïðïéçèåß ç
IP äéåýèõíóç ðïõ Ý÷åé áðïäïèåß óôï
<replaceable>IF</replaceable>.</para>
</sect2>
<sect2>
<title>Ðùò Ëåéôïõñãåß ôï <acronym>NAT</acronym></title>
<para>¸íá ðáêÝôï öôÜíåé óôï firewall áðü ôï LAN ìå ðñïïñéóìü ôï
Internet. ÐåñíÜåé äéáìÝóïõ ôùí êáíüíùí öéëôñáñßóìáôïò åîåñ÷ïìÝíùí,
üðïõ ãßíåôáé ç åðåîåñãáóßá ôïõ áðü ôï <acronym>NAT</acronym>.
Ïé êáíüíåò åöáñìüæïíôáé áðü ôïí ðñþôï êáé ðñïò ôá êÜôù, êáé êåñäßæåé
ï ðñþôïò ðïõ ôáéñéÜæåé. Ï Ýëåã÷ïò ãßíåôáé ìå âÜóç ôç äéåðáöÞ áðü ôçí
ïðïßá ëÞöèçêå ôï ðáêÝôï êáé ôç äéåýèõíóç IP áðü ôçí ïðïßá ðñïÝñ÷åôáé.
¼ôáí ôï üíïìá ôçò äéåðáöÞò åíüò ðáêÝôïõ ôáéñéÜæåé ìå êÜðïéï êáíüíá ôïõ
<acronym>NAT</acronym>, ç äéåýèõíóç IP ôçò áöåôçñßáò (ðïõ ðñïÝñ÷åôáé
áðü ôï éäéùôéêü äßêôõï) åëÝã÷åôáé ãéá íá åîáêñéâùèåß áí ôáéñéÜæåé ìå
ôçí ðåñéï÷Þ äéåõèýíóåùí ðïõ êáèïñßæåôáé óôçí áñéóôåñÜ ðëåõñÜ ôïõ
óõìâüëïõ (âÝëïò) ôïõ êáíüíá <acronym>NAT</acronym>. Áí ôáéñéÜæåé, ç
äéåýèõíóç ôïõ ðáêÝôïõ îáíáãñÜöåôáé, ÷ñçóéìïðïéþíôáò ôç äçìüóéá
äéåýèõíóç IP ç ïðïßá ðáñÝ÷åôáé áðü ôï <literal>0/32</literal>. Ôï
<acronym>NAT</acronym> äçìéïõñãåß ìéá êáôá÷þñéóç óôïí åóùôåñéêü ôïõ
ðßíáêá, Ýôóé þóôå üôáí åðéóôñÝøåé ç áðÜíôçóç áðü ôï Internet, íá
ìðïñåß íá áíôéóôïé÷çèåß îáíÜ óôçí áñ÷éêÞ éäéùôéêÞ äéåýèõíóç IP êáé íá
ðåñÜóåé Ýðåéôá áðü ôïõò êáíüíåò ôïõ ößëôñïõ ãéá ðåñáéôÝñù
åðåîåñãáóßá.</para>
</sect2>
<sect2>
<title>Åíåñãïðïéþíôáò ôï IP<acronym>NAT</acronym></title>
<para>Ãéá íá åíåñãïðïéÞóåôå ôï IP<acronym>NAT</acronym>, ðñïóèÝóôå ôéò
ðáñáêÜôù ãñáììÝò óôï <filename>/etc/rc.conf</filename>.</para>
<para>Ãéá íá åðéôñÝøåôå óôï ìç÷Üíçìá óáò íá äñïìïëïãåß ðáêÝôá ìåôáîý
äéåðáöþí äéêôýïõ:</para>
<programlisting>gateway_enable="YES"</programlisting>
<para>Ãéá íá îåêéíÜåé áõôüìáôá ôï IP<acronym>NAT</acronym> óå êÜèå
åêêßíçóç:</para>
<programlisting>ipnat_enable="YES"</programlisting>
<para>Ãéá íá êáèïñßóåôå áðü ðïõ åðéèõìåßôå íá öïñôþíïíôáé ïé êáíüíåò
ôïõ IP<acronym>NAT</acronym>:</para>
<programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
</sect2>
<sect2>
<title>Ôï <acronym>NAT</acronym> óå ¸íá ÌåãÜëï Ôïðéêü Äßêôõï</title>
<para>Ãéá ôïðéêÜ äßêôõá ìå ìåãÜëï áñéèìü õðïëïãéóôþí, Þ ãéá äßêôõá ðïõ
äéáóõíäÝïõí ðåñéóóüôåñá áðü Ýíá LAN, ç äéáäéêáóßá ôçò ìåôáôñïðÞò üëùí
áõôþí ôùí éäéùôéêþí äéåõèýíóåùí óå ìéá ìïíáäéêÞ äçìüóéá äéåýèõíóç,
äçìéïõñãåß ðñüâëçìá êáôáíïìÞò ðüñùí, êáèþò ÷ñçóéìïðïéïýíôáé ðïëëÝò
öïñÝò ïé ßäéïé áñéèìïß èõñþí, ïäçãþíôáò ôá PC ôïõ äéêôýïõ óå
óõãêñïýóåéò. ÕðÜñ÷ïõí äýï ôñüðïé ãéá íá åëáôôþóïõìå áõôü ôï
ðñüâëçìá.</para>
<sect3>
<title>ÁíÜèåóç ôùí èõñþí ðïõ èá ×ñçóéìïðïéçèïýí</title>
<!-- What does it mean ? Is there something missing ?-->
<!-- XXXBLAH <- Apparently you can't start a sect
with a <programlisting> tag ?-->
<para>¸íá óõíçèéóìÝíïò êáíüíáò NAT ìïéÜæåé ìå ôïí ðáñáêÜôù:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting>
<para>Óôïí ðáñáðÜíù êáíüíá, ç èýñá áöåôçñßáò ôïõ ðáêÝôïõ ðáñáìÝíåé
áíáëëïßùôç êáèþò ôï ðáêÝôï äéÝñ÷åôáé ìÝóù ôïõ
IP<acronym>NAT</acronym>. Áí ðñïóèÝóåôå ôçí ëÝîç-êëåéäß
<literal>portmap</literal>, ìðïñåßôå íá ñõèìßóåôå ôï
IP<acronym>NAT</acronym> íá ÷ñçóéìïðïéåß èýñåò ðïõ áíÞêïõí óå ìéá
êáèïñéóìÝíç ðåñéï÷Þ. Ãéá ðáñÜäåéãìá, ï ðáñáêÜôù êáíüíáò èá
ïäçãÞóåé ôï <acronym>NAT</acronym> íá ôñïðïðïéÞóåé ôçí èýñá ôçò
áöåôçñßáò, þóôå íá åßíáé ìÝóá óôçí ðåñéï÷Þ ðïõ öáßíåôáé:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000</programlisting>
<para>Ìðïñïýìå åðßóçò íá áðëïðïéÞóïõìå áêüìá ðåñéóóüôåñï ôç
äéáäéêáóßá ÷ñçóéìïðïéþíôáò ôç ëÝîç <literal>auto</literal> þóôå ôï
IP<acronym>NAT</acronym> íá êáèïñßæåé áðü ìüíï ôïõ ðïéåò èýñåò åßíáé
äéáèÝóéìåò ãéá ÷ñÞóç:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
</sect3>
<sect3>
<title>×ñçóéìïðïéþíôáò Ýíá Áðüèåìá Äõíáìéêþí Äéåõèýíóåùí</title>
<para>Óå Ýíá ðïëý ìåãÜëï ôïðéêü äßêôõï, áñãÜ Þ ãñÞãïñá öôÜíïõìå óôï
óçìåßï ðïõ ìéá ìïíáäéêÞ äçìüóéá äéåýèõíóç äåí åðáñêåß ãéá íá êáëýøåé
ôüóåò ðïëëÝò éäéùôéêÝò. Áí õðÜñ÷åé äéáèÝóéìï Ýíá åýñïò äçìïóßùí
äéåõèýíóåùí, ìðïñïýí íá ÷ñçóéìïðïéçèïýí ùò
<quote>áðüèåìá (pool)</quote>, åðéôñÝðïíôáò óôçí
IP<acronym>NAT</acronym> íá åðéëÝîåé ìéá áðü áõôÝò êáèþò áíôéóôïé÷åß
ôá ðáêÝôá êáôÜ ôçí Ýîïäï ôïõò ðñïò ôï äçìüóéï äßêôõï.</para>
<para>Ãéá ðáñÜäåéãìá, áíôß íá áíôéóôïé÷ïýí üëá ôá ðáêÝôá ìÝóù ìéáò
ìïíáäéêÞò äçìüóéáò IP äéåýèõíóçò üðùò ðáñáêÜôù:</para>
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.1</programlisting>
<para>ìðïñïýìå íá ÷ñçóéìïðïéÞóïõìå Ýíá åýñïò IP äéåõèýíóåùí, åßôå ìå
ôç ÷ñÞóç ìÜóêáò äéêôýïõ:</para>
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0</programlisting>
<para>åßôå ìå óõìâïëéóìü CIDR:</para>
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
</sect3>
</sect2>
<sect2>
<title>Áíáêáôåýèõíóç Èõñþí</title>
<para>Åßíáé êïéíÞ ðñáêôéêÞ íá åãêáèßóôáíôáé õðçñåóßåò üðùò ï
åîõðçñåôçôÞò éóôïóåëßäùí, ôá÷õäñïìåßïõ, âÜóçò äåäïìÝíùí êáé DNS óå
äéáöïñåôéêÜ PC óôï ôïðéêü äßêôõï. Óôçí ðåñßðôùóç áõôÞ, ç êßíçóç
ðáêÝôùí áðü áõôÜ ôá ìç÷áíÞìáôá åîáêïëïõèåß íá ÷ñåéÜæåôáé ôï
<acronym>NAT</acronym>, áëëÜ ÷ñåéÜæåôáé åðßóçò íá õðÜñ÷åé êÜðïéïò
ôñüðïò íá êáôåõèýíåôáé ç åéóåñ÷üìåíç êßíçóç óôá óùóôÜ PC ôïõ äéêôýïõ.
Ôï IP<acronym>NAT</acronym> Ý÷åé ôéò êáôÜëëçëåò äõíáôüôçôåò ãéá ôçí
åðßëõóç áõôïý ôïõ ðñïâëÞìáôïò. Ãéá ðáñÜäåéãìá, Ýóôù üôé Ýíáò
åîõðçñåôçôÞò éóôïóåëßäùí âñßóêåôáé óôçí äéåýèõíóç LAN <hostid
role="ipaddr">10.0.10.25</hostid> êáé ç ìïíáäéêÞ äçìüóéá IP
åßíáé <hostid role="ipaddr">20.20.20.5</hostid>. Ï êáíüíáò ðïõ èá
ãñÜöáôå èá Ýìïéáæå ìå ôïí ðáñáêÜôù:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
<para>Þ:</para>
<programlisting>rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80</programlisting>
<para>Þ ãéá Ýíá åîõðçñåôçôÞ DNS ìå äéåýèõíóç óôï ôïðéêü äßêôõï <hostid
role="ipaddr">10.0.10.33</hostid> ï ïðïßïò ðñÝðåé íá äÝ÷åôáé
áíáæçôÞóåéò áðü ôï äçìüóéï äßêôõï:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
</sect2>
<sect2>
<title>FTP êáé <acronym>NAT</acronym></title>
<para>Ôï FTP åßíáé Ýíáò äåéíüóáõñïò ðïõ Ý÷åé áðïìåßíåé áðü ôçí åðï÷Þ
ðïõ ôï Internet Þôáí óôá áñ÷éêÜ ôïõ óôÜäéá, üðïõ ôá åñåõíçôéêÜ
åñãáóôÞñéá ôùí ðáíåðéóôÞìéùí Þôáí óõíäåìÝíá ìåôáîý ôïõò ìå
ìéóèùìÝíåò ãñáììÝò êáé ïé åñåõíçôÝò ôï ÷ñçóéìïðïéïýóáí ãéá íá
óôÝëíïõí áñ÷åßá ï Ýíáò óôïí Üëëï. Ôçí åðï÷Þ åêåßíç, äåí õðÞñ÷áí
áíçóõ÷ßåò ó÷åôéêÜ ìå ôçí áóöÜëåéá. Ìå ôï ðÝñáóìá ôïõ ÷ñüíïõ, ôï
FTP èÜöôçêå óôï ðßóù ìÝñïò ôïõ ôá÷Ýùò åîåëéóóüìåíïõ Internet. Äåí
åîåëß÷èçêå ðïôÝ þóôå íá îåðåñÜóåé ðñïâëÞìáôá áóöÜëåéáò, üðùò ð.÷. ôï
ãåãïíüò üôé óôÝëíåé ôï üíïìá êáé ôïí êùäéêü ôïõ ÷ñÞóôç ùò áðëü
êåßìåíï. Ôï FTP Ý÷åé äõï êáôáóôÜóåéò ëåéôïõñãßáò, ôçí åíåñãÞ êáé ôçí
ðáèçôéêÞ. Ç äéáöïñÜ åßíáé óôï ðùò ãßíåôáé ç áíÜêôçóç ôïõ êáíáëéïý
äåäïìÝíùí. Ç ðáèçôéêÞ ëåéôïõñãßá åßíáé ðéï áóöáëÞò, êáèþò ôï
êáíÜëé äåäïìÝíùí áðïôåëåß ôï êýñéï êáíÜëé ôçò óõíåäñßáò. Ìðïñåßôå íá
âñåßôå ðïëý êáëÞ ðåñéãñáöÞ ôïõ ðñùôïêüëëïõ êáé ôùí äéáöïñåôéêþí ôñüðùí
ëåéôïõñãßáò ôïõ, óôï <ulink
url="http://www.slacksite.com/other/ftp.html"></ulink>.</para>
<sect3>
<title>Êáíüíåò ôïõ IP<acronym>NAT</acronym></title>
<para>Ôï IP<acronym>NAT</acronym> äéáèÝôåé ìéá åéäéêÞ åðéëïãÞ ãéá
äéáìåóïëÜâçóç FTP (proxy) ç ïðïßá ìðïñåß íá êáèïñéóôåß óôïí
êáôÜëëçëï êáíüíá ôïõ <acronym>NAT</acronym>. Ìðïñåß íá
ðáñáêïëïõèÞóåé üëá ôá åîåñ÷üìåíá ðáêÝôá ãéá íá áíé÷íåýóåé ôçí
Ýíáñîç ìéáò åíåñãÞò Þ ðáèçôéêÞò óõíåäñßáò FTP, êáé íá äçìéïõñãÞóåé
äõíáìéêÜ ðñïóùñéíïýò êáíüíåò óôï ößëôñï ðïõ íá ðåñéÝ÷ïõí ìüíï ôïí
áñéèìü ôçò èýñáò ðïõ ÷ñçóéìïðïéåßôáé áðü ôï êáíÜëé äåäïìÝíùí. Áõôü
åîáëåßöåé ôï ðñüâëçìá áóöÜëåéáò ðïõ äçìéïõñãåßôáé áðü ôï ãåãïíüò
üôé äéáöïñåôéêÜ èá ÷ñåéáæüôáí íá áíïé÷èåß ìéá ìåãÜëç ðåñéï÷Þ èõñþí
(óôçí õøçëÞ ðåñéï÷Þ) óôï firewall.</para>
<para>Ï ðáñáêÜôù êáíüíáò ÷åéñßæåôáé üëá ôá äåäïìÝíá ãéá ôï åóùôåñéêü
äßêôõï (LAN):</para>
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
<para>Ï ðáñáêÜôù êáíüíáò ÷åéñßæåôáé ôçí êßíçóç FTP áðü ôçí
ðýëç (gateway):</para>
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
<para>Ï ðáñáêÜôù êáíüíáò ÷åéñßæåôáé üëç ôçí êßíçóç áðü ôï åóùôåñéêü
LAN ðïõ äåí áíÞêåé óôï ðñùôüêïëëï FTP:</para>
<programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
<para>Ï êáíüíáò ÷áñôïãñÜöçóçò ôïõ FTP ôïðïèåôåßôáé ðñéí áðü ôïí
êáíïíéêü êáíüíá ÷áñôïãñÜöçóçò. ÊÜèå ðáêÝôï åëÝã÷åôáé áñ÷éêÜ áðü
ôïí êáíüíá ðïõ âñßóêåôáé óôçí êïñõöÞ. Áí ôáéñéÜæåé óôç äéåðáöÞ êáé
óôçí éäéùôéêÞ äéåýèõíóç IP êáé ðñüêåéôáé ãéá ðáêÝôï FTP,
ï äéáìåóïëáâçôÞò FTP äçìéïõñãåß ðñïóùñéíïýò êáíüíåò óôï ößëôñï
ïé ïðïßïé åðéôñÝðïõí ôçí åéóåñ÷üìåíç êáé åîåñ÷üìåíç êßíçóç FTP åíþ
ôáõôü÷ñïíá åêôåëïýí êáé ôçí áðáñáßôçôç ìåôÜöñáóç
<acronym>NAT</acronym>. ¼ëá ôá ðáêÝôá ðïõ äåí áíÞêïõí óå ìåôÜäïóç
FTP äåí ôáéñéÜæïõí ìå ôïí ðñþôï êáíüíá, Ýôóé êáôåõèýíïíôáé óôïí
ôñßôï êáíüíá, åîåôÜæïíôáé üóï áöïñÜ ôç äéåðáöÞ êáé ôï IP áðü ôï
ïðïßï ðñïÝñ÷ïíôáé, êáé ãßíåôáé ç áíôßóôïé÷ç ìåôÜöñáóç ôïõò áðü ôï
<acronym>NAT</acronym>.</para>
</sect3>
<sect3>
<title>Êáíüíåò Ößëôñïõ ãéá ôï IP<acronym>NAT</acronym></title>
<para>¼ôáí ÷ñçóéìïðïéåßôáé ï ìåóïëáâçôÞò FTP, ÷ñåéÜæåôáé ìüíï Ýíáò
êáíüíáò ãéá ôï <acronym>NAT</acronym>.</para>
<para>×ùñßò ôï ìåóïëáâçôÞ FTP, ÷ñåéÜæïíôáé ïé ðáñáêÜôù ôñåéò
êáíüíåò:</para>
<programlisting># Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
</sect3>
</sect2>
</sect1>
<sect1 id="firewalls-ipfw">
<title>IPFW</title>
<indexterm>
<primary>firewall</primary>
<secondary>IPFW</secondary>
</indexterm>
<para>Ôï IPFIREWALL (<acronym>IPFW</acronym>) åßíáé ëïãéóìéêü ðïõ
áíáðôý÷èçêå ãéá ôï &os;. ¸÷åé ãñáöåß êáé óõíôçñåßôáé áðü åèåëïíôÝò ðïõ
áíÞêïõí óôï Project. ×ñçóéìïðïéåß ôïõò êëáóéêïýò êáíüíåò ÷ùñßò
äéáôÞñçóç ôçò êáôÜóôáóçò (stateless) êáèþò êáé ìéá ôå÷íéêÞ
êùäéêïðïßçóçò ðïõ åðéôõã÷Üíåé áõôü ðïõ áíáöÝñåôáé ùò ÁðëÞ Stateful
ËïãéêÞ (Simple Stateful Logic).</para>
<para>Ôï õðüäåéãìá êáíüíùí ãéá ôï IPFW (óôá áñ÷åßá
<filename>/etc/rc.firewall</filename> êáé
<filename>/etc/rc.firewall6</filename>) ôçò ôõðéêÞò åãêáôÜóôáóçò ôïõ
&os; åßíáé ìÜëëïí áðëü êáé èá ÷ñåéáóôåß íá êÜíåôå êÜðïéåò áëëáãÝò
ðñéí ôï ÷ñçóéìïðïéÞóåôå. Ôï ðáñÜäåéãìá äåí ÷ñçóéìïðïéåß öéëôñÜñéóìá
ôýðïõ stateful. Ç stateful ëåéôïõñãßá åßíáé åõåñãåôéêÞ óôéò
ðåñéóóüôåñåò ðåñéðôþóåéò, Ýôóé äåí èá ÷ñçóéìïðïéÞóïõìå áõôü ôï
ðáñÜäåéãìá ùò âÜóç áõôÞò ôçò åíüôçôáò.</para>
<para>Ç óýíôáîç ôùí êáíüíùí stateless ôïõ IPFW Ý÷åé åíéó÷õèåß ìå
åîåëéãìÝíåò äõíáôüôçôåò åðéëïãÞò ïé ïðïßåò óõíÞèùò îåðåñíÜíå êáôÜ ðïëý
ôéò ôõðéêÝò ãíþóåéò ôïõ áôüìïõ ðïõ êáëåßôáé íá ôï ñõèìßóåé. Ôï IPFW
áðåõèýíåôáé óôïí åðáããåëìáôßá ÷ñÞóôç Þ ôïí ôå÷íéêÜ ðñï÷ùñçìÝíï ÷ïìðßóôá,
ï ïðïßïò Ý÷åé áíÜãêç ðñï÷ùñçìÝíïõ öéëôñáñßóìáôïò ðáêÝôùí. Ç ðñáãìáôéêÞ
äýíáìç ôùí êáíüíùí ôïõ IPFW áðïêáëýðôåôáé ìüíï áí äéáèÝôåôå ðñï÷ùñçìÝíåò
ãíþóåéò ó÷åôéêÜ ìå ôï ðùò äéáöïñåôéêÜ ðñùôüêïëëá äçìéïõñãïýí êáé
÷ñçóéìïðïéïýí ôçí åðéêåöáëßäá ôùí ðáêÝôùí ôïõò. ÔÝôïéï åðßðåäï
åðåîçãÞóåùí åßíáé ðÝñá áðü ôï óêïðü áõôÞò ôçò åíüôçôáò ôïõ
Åã÷åéñéäßïõ.</para>
<para>Ôï IPFW áðïôåëåßôáé áðü åðôÜ åîáñôÞìáôá. Ôï âáóéêü åîÜñôçìá åßíáé
ï åðåîåñãáóôÞò êáíüíùí ôïõ firewall óôïí ðõñÞíá, ìå åíóùìáôùìÝíç ôç
äõíáôüôçôá êáôáãñáöÞò. Ôá õðüëïéðá åîáñôÞìáôá åßíáé ôï óýóôçìá
êáôáãñáöÞò (logging), ï êáíüíáò <literal>divert</literal> ï ïðïßïò
åíåñãïðïéåß ôç ëåéôïõñãßá <acronym>NAT</acronym>, êáèþò êáé ïé
ðñï÷ùñçìÝíåò äõíáôüôçôåò åéäéêïý óêïðïý: ôï óýóôçìá äéáìüñöùóçò êßíçóçò
(traffic shaper) dummynet, ç äõíáôüôçôá ðñïþèçóçò ìÝóù ôïõ
<literal>fwd rule</literal>, ç äõíáôüôçôá ãåöýñùóçò (bridge) êáèþò êáé
ç äõíáôüôçôá áðüêñõøçò (ipstealth). To IPFW õðïóôçñßæåé ôüóï ôï
ðñùôüêïëëï IPv4 üóï êáé ôï IPv6.</para>
<sect2 id="firewalls-ipfw-enable">
<title>Åíåñãïðïéþíôáò ôï IPFW</title>
<indexterm>
<primary>IPFW</primary>
<secondary>enabling</secondary>
</indexterm>
<para>Ôï IPFW ðåñéëáìâÜíåôáé óôçí âáóéêÞ åãêáôÜóôáóç ôïõ &os; ùò Üñèñùìá
ôïõ ðõñÞíá ôï ïðïßï ìðïñåß íá öïñôùèåß äõíáìéêÜ. Ôï óýóôçìá èá
öïñôþóåé äõíáìéêÜ ôï Üñèñùìá üôáí âñåé ôçí êáôá÷þñéóç
<literal>firewall_enable="YES"</literal> óôï áñ÷åßï
<filename>/etc/rc.conf</filename>. Äåí ÷ñåéÜæåôáé íá ìåôáãëùôôßóåôå
ôï IPFW ìÝóá óôïí ðõñÞíá.</para>
<para>Áöïý åðáíåêêéíÞóåôå ôï óýóôçìá óáò ìå ôçí êáôá÷þñéóç
<literal>firewall_enable="YES"</literal> óôï
<filename>rc.conf</filename>, èá äåßôå ìå Üóðñá Ýíôïíá ãñÜììáôá ôï
áêüëïõèï ìÞíõìá êáôÜ ôç äéáäéêáóßá ôçò åêêßíçóçò:</para>
<screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen>
<para>Ôï Üñèñùìá Ý÷åé åíóùìáôùìÝíç ôç äõíáôüôçôá êáôáãñáöÞò. Ãéá íá
åíåñãïðïéÞóåôå ôçí êáôáãñáöÞ êáé íá èÝóåôå ôï åðßðåäï ëåðôïìÝñåéáò,
õðÜñ÷ïõí êÜðïéåò ñõèìßóåéò ðïõ ìðïñåßôå íá èÝóåôå óôï
<filename>/etc/sysctl.conf</filename>. ÐñïóèÝôïíôáò ôéò ðáñáêÜôù
êáôá÷ùñßóåéò, èá åíåñãïðïéçèåß ç êáôáãñáöÞ óôéò åðüìåíåò
åêêéíÞóåéò:</para>
<programlisting>net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5</programlisting>
</sect2>
<sect2 id="firewalls-ipfw-kernel">
<title>ÅðéëïãÝò ôïõ ÐõñÞíá</title>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFIREWALL</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFIREWALL_VERBOSE</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
</indexterm>
<indexterm>
<primary>IPFW</primary>
<secondary>kernel options</secondary>
</indexterm>
<para>Äåí åßíáé õðï÷ñåùôéêü íá åíåñãïðïéÞóåôå ôï IPFW ìåôáãëùôôßæïíôáò
ôéò ðáñáêÜôù åðéëïãÝò óôïí ðõñÞíá ôïõ &os;. Ï óêïðüò áõôÞò ôçò
ðáñïõóßáóçò åßíáé êáèáñÜ åíçìåñùôéêüò.</para>
<programlisting>options IPFIREWALL</programlisting>
<para>Ç åðéëïãÞ áõôÞ åíåñãïðïéåß ôï IPFW ùò ìÝñïò ôïõ ðõñÞíá.</para>
<programlisting>options IPFIREWALL_VERBOSE</programlisting>
<para>Åíåñãïðïéåß ôçí êáôáãñáöÞ ôùí ðáêÝôùí ðïõ ðåñíïýí ìÝóù ôïõ IPFW
êáé ðåñéëáìâÜíïõí ôç ëÝîç <literal>log</literal> óôïí êáíüíá
ôïõò.</para>
<programlisting>options IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
<para>Ðåñéïñßæåé ôïí ðëÞèïò ôùí ðáêÝôùí ðïõ êáôáãñÜöïíôáé ìÝóù ôïõ
&man.syslogd.8; óå óõãêåêñéìÝíï áñéèìü áíÜ êáôá÷þñéóç. Ç ñýèìéóç
åßíáé ÷ñÞóéìç óå å÷èñéêÜ ðåñéâÜëëïíôá óôá ïðïßá åßíáé åðéèõìçôÞ
ç êáôáãñáöÞ. Ìå áõôü ôïí ôñüðï ìðïñåß íá áðïöåõ÷èåß ìéá ðéèáíÞ
åðßèåóç ìå óôü÷ï ôçí õðåñ÷åßëéóç ôùí áñ÷åßùí êáôáãñáöÞò.</para>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary>
</indexterm>
<programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
<para>Ç åðéëïãÞ áõôÞ áöÞíåé ôá ðÜíôá íá ðåñíÜíå ìÝóá áðü ôï firewall,
ôï ïðïßï åßíáé êáëÞ éäÝá ôçí ðñþôç öïñÜ ðïõ ñõèìßæåôå ôï firewall
óáò.</para>
<indexterm>
<primary>kernel options</primary>
<secondary>IPDIVERT</secondary>
</indexterm>
<programlisting>options IPDIVERT</programlisting>
<para>Ç åðéëïãÞ áõôÞ åíåñãïðïéåß ôç ëåéôïõñãßá
<acronym>NAT</acronym>.</para>
<note>
<para>Ôï firewall èá áðïññßðôåé üëá ôá ðáêÝôá ðïõ êáôåõèýíïíôáé áðü
êáé ðñïò ôï ìç÷Üíçìá, áí äåí ðåñéëÜâåôå ôçí åðéëïãÞ
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> Þ áí äåí ñõèìßóåôå
Ýíá êáôÜëëçëï êáíüíá ðïõ íá åðéôñÝðåé áõôÝò ôéò óõíäÝóåéò.</para>
</note>
</sect2>
<sect2 id="firewalls-ipfw-rc">
<title>ÅðéëïãÝò óôï <filename>/etc/rc.conf</filename></title>
<para>ÅíåñãïðïéÞóôå ôï firewall:</para>
<programlisting>firewall_enable="YES"</programlisting>
<para>Ãéá íá åðéëÝîåôå Ýíá áðü ôïõò ðñïåðéëåãìÝíïõò ôýðïõò firewall ðïõ
õðïóôçñßæïíôáé áðü ôï &os;, äéáâÜóôå ôï áñ÷åßï
<filename>/etc/rc.firewall</filename> êáé äçìéïõñãÞóôå ìéá åããñáöÞ
üðùò ôçí ðáñáêÜôù:</para>
<programlisting>firewall_type="open"</programlisting>
<para>Ïé äéáèÝóéìåò ôéìÝò ãéá áõôÞ ôç ñýèìéóç åßíáé:</para>
<itemizedlist>
<listitem>
<para><literal>open</literal> — åðéôñÝðåé ôç äéÝëåõóç üëçò
ôçò êßíçóçò.</para>
</listitem>
<listitem>
<para><literal>client</literal> — ðñïóôáôåýåé ìüíï ôï
óõãêåêñéìÝíï ìç÷Üíçìá.</para>
</listitem>
<listitem>
<para><literal>simple</literal> — ðñïóôáôåýåé ïëüêëçñï ôï
äßêôõï.</para>
</listitem>
<listitem>
<para><literal>closed</literal> — áðåíåñãïðïéåß åíôåëþò ôçí
êßíçóç ðáêÝôùí, åêôüò áðü ôçí åóùôåñéêÞ äéåðáöÞ (loopback).</para>
</listitem>
<listitem>
<para><literal>UNKNOWN</literal> — áðåíåñãïðïéåß ôçí öüñôùóç
êáíüíùí ôïõ firewall.</para>
</listitem>
<listitem>
<para><filename><replaceable>filename</replaceable></filename>
— ôï ðëÞñåò ìïíïðÜôé ôïõ áñ÷åßïõ ðïõ ðåñéÝ÷åé ôïõò êáíüíåò
ôïõ firewall.</para>
</listitem>
</itemizedlist>
<para>Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå äýï äéáöïñåôéêïýò ôñüðïõò ãéá íá
öïñôþóåôå ðñïóáñìïóìÝíïõò êáíüíåò óôï
<application>ipfw</application> firewall. Ï Ýíáò åßíáé èÝôïíôáò ôç
ìåôáâëçôÞ <literal>firewall_type</literal> óôçí áðüëõôç äéáäñïìÞ ôïõ
áñ÷åßïõ ðïõ ðåñéÝ÷åé ôïõò <emphasis>êáíüíåò ôïõ firewall</emphasis>,
÷ùñßò íá äþóåôå ïñßóìáôá óôçí ãñáììÞ åíôïëþí ãéá ôï ßäéï ôï
&man.ipfw.8;. Ôï áñ÷åßï êáíüíùí ðïõ öáßíåôáé ðáñáêÜôù, áðïññßðôåé
üëç ôçí åéóåñ÷üìåíç êáé åîåñ÷üìåíç êßíçóç:</para>
<programlisting>add deny in
add deny out</programlisting>
<para>Áðü ôçí Üëëç ìåñéÜ, åßíáé åðßóçò äõíáôü íá èÝóåôå ôç ìåôáâëçôÞ
<literal>firewall_script</literal> óôçí áðüëõôç äéáäñïìÞ åíüò
åêôåëÝóéìïõ script ðïõ ðåñéëáìâÜíåé ìéá óåéñÜ áðü åíôïëÝò
<command>ipfw</command> ðïõ èá åêôåëåóôïýí êáôÜ ôçí åêêßíçóç.
¸íá Ýãêõñï ôÝôïéï script ôï ïðïßï åßíáé áíôßóôïé÷ï ìå ôï áñ÷åßï
êáíüíùí ðïõ äåßîáìå ðáñáðÜíù, åßíáé ôï áêüëïõèï:</para>
<programlisting>#!/bin/sh
ipfw -q flush
ipfw add deny in
ipfw add deny out</programlisting>
<note>
<para>Áí èÝóåôå ôçí ôéìÞ ôïõ <literal>firewall_type</literal> åßôå
óå <literal>client</literal> åßôå óå <literal>simple</literal>,
èá ðñÝðåé íá åëÝãîåôå üôé ïé ðñïåðéëåãìÝíïé êáíüíåò ðïõ ðåñéÝ÷ïíôáé
óôï <filename>/etc/rc.firewall</filename> ôáéñéÜæïõí ìå ôéò
ñõèìßóåéò ôïõ óõãêåêñéìÝíïõ ìç÷áíÞìáôïò. ÐáñáôçñÞóôå åðßóçò üôé ôá
ðáñáäåßãìáôá ðïõ ÷ñçóéìïðïéïýíôáé óå áõôü ôï êåöÜëáéï áíáìÝíïõí íá
íá Ý÷åôå èÝóåé ôç ìåôáâëçôÞ <literal>firewall_script</literal> óôçí
ôéìÞ <filename>/etc/ipfw.rules</filename>.</para>
</note>
<para>ÅíåñãïðïéÞóôå ôçí êáôáãñáöÞ:</para>
<programlisting>firewall_logging="YES"</programlisting>
<warning>
<para>Ôï ìüíï ðñÜãìá ðïõ êÜíåé ç ìåôáâëçôÞ
<varname>firewall_logging</varname> åßíáé íá èÝóåé ôçí ôéìÞ
ôçò ìåôáâëçôÞò sysctl <varname>net.inet.ip.fw.verbose</varname> óôçí
ôéìÞ <literal>1</literal> (äåßôå ôï <xref
linkend="firewalls-ipfw-enable"/>). Äåí õðÜñ÷åé ìåôáâëçôÞ ôïõ
<filename>rc.conf</filename> ðïõ íá ïñßæåé ðåñéïñéóìïýò óôçí
êáôáãñáöÞ, áëëÜ áõôü ìðïñåß íá ñõèìéóôåß ìÝóù ôçò ðáñáðÜíù
ìåôáâëçôÞò sysctl åßôå ÷åéñïêßíçôá, åßôå ìÝóù ôïõ áñ÷åßïõ
<filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
</warning>
<para>Áí ôï ìç÷Üíçìá óáò ëåéôïõñãåß ùò ðýëç (gateway), äçëáäÞ ðáñÝ÷åé
õðçñåóßá ìåôÜöñáóçò äéåõèýíóåùí äéêôýïõ (Network Address
Translation, NAT) ìÝóù ôïõ &man.natd.8;, ðáñáêáëïýìå íá äéáâÜóåôå ôï
<xref linkend="network-natd"/> ãéá ðëçñïöïñßåò ó÷åôéêÜ ìå ôéò
ñõèìßóåéò ðïõ áðáéôïýíôáé óôï áñ÷åßï
<filename>/etc/rc.conf</filename>.</para>
</sect2>
<sect2 id="firewalls-ipfw-cmd">
<title>Ç ÅíôïëÞ IPFW</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
<para>Ç åíôïëÞ <command>ipfw</command> åßíáé ï óõíÞèçò ôñüðïò ãéá ôçí
ðñïóèÞêç ç äéáãñáöÞ êáíüíùí óôïõò åóùôåñéêïýò åíåñãïýò êáíüíåò ôïõ
firewall, êáèþò áõôü åêôåëåßôáé. Ôï ðñüâëçìá ìå ôç ÷ñÞóç áõôÞò ôçò
ìåèüäïõ åßíáé üôé ïé áëëáãÝò ÷Üíïíôáé ìå ôïí ôåñìáôéóìü ëåéôïõñãßáò
ôïõ ìç÷áíÞìáôïò. Ìðïñåßôå íá ãñÜøåôå üëïõò ôïõò êáíüíåò óáò óå Ýíá
áñ÷åßï êáé íá ôï ÷ñçóéìïðïéåßôå ãéá íá ôïõò öïñôþíåôå óôçí åêêßíçóç.
Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ôï ßäéï áñ÷åßï ãéá íá áíôéêáôáóôÞóåôå
ôïõò ôñÝ÷ïíôåò êáíüíåò ôïõ firewall, ôçí þñá ðïõ áõôü åêôåëåßôáé.
Áõôüò åßíáé êáé ï óõíéóôþìåíïò ôñüðïò ðïõ ÷ñçóéìïðïéïýìå óôá
ðáñáäåßãìáôá ìáò.</para>
<para>Ç åíôïëÞ <command>ipfw</command> åßíáé åðßóçò ÷ñÞóéìç ãéá íá
áðåéêïíßæåé ôïõò ôñÝ÷ïíôåò êáíüíåò óôç êïíóüëá óáò. Ôï óýóôçìá
êáôáãñáöÞò ÷ñÞóçò ôçò IPFW äçìéïõñãåß áõôüìáôá Ýíá ìåôñçôÞ ãéá êÜèå
êáíüíá, ï ïðïßïò ìåôñÜåé ðüóá ðáêÝôá ôáßñéáîáí ìå áõôüí. ÊáôÜ ôç
äéÜñêåéá ôùí äïêéìþí, ç äõíáôüôçôá íá åëÝãîåôå ôçí ôéìÞ ôïõ ìåôñçôÞ
åßíáé Ýíáò ôñüðïò ãéá íá äéáðéóôþóåôå áí ï êáíüíáò ëåéôïõñãåß
êáíïíéêÜ.</para>
<para>Ãéá íá äåßôå üëïõò ôïõò êáíüíåò ìå ôç óåéñÜ:</para>
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
<para>Ãéá íá äåßôå ìéá ëßóôá üëùí ôùí êáíüíùí, ìáæß ìå ôçí þñá ðïõ
åíåñãïðïéÞèçêå ôåëåõôáßá öïñÜ ï êÜèå êáíüíáò, ãñÜøôå:</para>
<screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
<para>Ôï åðüìåíï ðáñÜäåéãìá äåß÷íåé ôïí áñéèìü ôùí ðáêÝôùí ðïõ ôáßñéáîáí
ìáæß ìå ôïí áíôßóôïé÷ï êáíüíá. Ç ðñþôç óôÞëç äåß÷íåé ôïí áñéèìü ôïõ
êáíüíá, áêïëïõèåßôáé áðü ôïí áñéèìü ðáêÝôùí ðïõ ôáßñéáîáí (ðñþôá ôá
åîåñ÷üìåíá êáé ìåôÜ ôá åéóåñ÷üìåíá) êáé ôÝëïò áðü ôïí ßäéï ôïí
êáíüíá.</para>
<screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
<para>Ãéá íá äåßôå ìéá ëßóôá ðïõ íá ðåñéëáìâÜíåé ôüóï ôïõò äõíáìéêïýò
üóï êáé ôïõò óôáôéêïýò êáíüíåò:</para>
<screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
<para>Ãéá íá äåßôå êáé ôïõò äõíáìéêïýò êáíüíåò ðïõ Ý÷ïõí ëÞîåé:</para>
<screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
<para>Ãéá íá ìçäåíßóåôå ôïõò ìåôñçôÝò:</para>
<screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
<para>Ãéá íá ìçäåíßóåôå ôïõò ìåôñçôÝò ìüíï ãéá ôïí êáíüíá ìå ôïí áñéèìü
<replaceable>NUM</replaceable>:</para>
<screen>&prompt.root; <userinput>ipfw zero <replaceable>NUM</replaceable></userinput></screen>
</sect2>
<sect2 id="firewalls-ipfw-rules">
<title>Ôï Óýíïëï Êáíüíùí ôïõ IPFW</title>
<!-- ¸÷åé åìöáíéóôåß Þäç ìéá öïñÜ -->
<para>Ùò <quote>óýíïëï êáíüíùí</quote> óôï IPFW, ïñßæïõìå ìéá ïìÜäá
êáíüíùí ðïõ Ý÷ïõí ãñáöåß ãéá íá åðéôñÝðïõí Þ íá áðïññßðôïõí ðáêÝôá
áíÜëïãá ìå ôéò ôéìÝò ðïõ ðåñéÝ÷ïíôáé óå áõôÜ. Ç äéðëÞò êáôåýèõíóçò
áíôáëëáãÞ ðáêÝôùí ìåôáîý õðïëïãéóôþí áðïôåëåß ìéá óõíåäñßá.
Ôï óýíïëï êáíüíùí ôïõ firewall åðåîåñãÜæåôáé ôüóï ôá ðáêÝôá ðïõ
Ýñ÷ïíôáé áðü ôï Internet, üóï êáé ôá ðáêÝôá ðïõ ðáñÜãïíôáé áðü ôï
óýóôçìá ùò áðÜíôçóç óå áõôÜ. ÊÜèå õðçñåóßá <acronym>TCP/IP</acronym>
(ð.÷. telnet, www, mail, ê.ë.ð.) êáèïñßæåôáé áðü ôï ðñùôüêïëëï êáé
ôçí ðñïíïìéáêÞ (privileged) èýñá ðïõ ÷ñçóéìïðïéåß ãéá íá äÝ÷åôáé
áéôÞìáôá åîõðçñÝôçóçò. Ôá ðáêÝôá ðïõ ðñïïñßæïíôáé ãéá ìéá
óõãêåêñéìÝíç õðçñåóßá, îåêéíïýí áðü ôç äéåýèõíóç áöåôçñßáò
÷ñçóéìïðïéþíôáò ìéá ìç-ðñïíïìéáêÞ èýñá êáé êáôáëÞãïõí óôç
óõãêåêñéìÝíç èýñá õðçñåóßáò óôïí ðñïïñéóìü. ¼ëåò ïé ðáñáðÜíù
ðáñÜìåôñïé (èýñåò êáé äéåõèýíóåéò) ìðïñïýí íá ÷ñçóéìïðïéçèïýí ùò
êñéôÞñéá åðéëïãÞò ãéá ôçí äçìéïõñãßá êáíüíùí ðïõ åðéôñÝðïõí
Þ åìðïäßæïõí ôçí ðñüóâáóç óå õðçñåóßåò.</para>
<indexterm>
<primary>IPFW</primary>
<secondary>rule processing order</secondary>
</indexterm>
<!-- Needs rewording to include note below -->
<para>¼ôáí Ýíá ðáêÝôï åéóÝñ÷åôáé óôï firewall, óõãêñßíåôáé ìå âÜóç ôïí
ðñþôï êáíüíá. Ç óýãêñéóç óõíå÷ßæåôáé äéáäï÷éêÜ ìå ôïõò õðüëïéðïõò
êáíüíåò, áðü ôïí ðñþôï ðñïò ôïí ôåëåõôáßï, ìå âÜóç ôïí áýîïíôá áñéèìü
ôïõò. ¼ôáí ôï ðáêÝôï ôáéñéÜîåé ìå ôéò ðáñáìÝôñïõò åðéëïãÞò êÜðïéïõ
êáíüíá, åêôåëåßôáé ç ïäçãßá ðïõ áíáöÝñåôáé óôï ðåäßï åíåñãåéþí ôïõ
êáíüíá áõôïý êáé ç áíáæÞôçóç êáíüíùí ãéá ôï óõãêåêñéìÝíï ðáêÝôï
ôåñìáôßæåôáé. Óå áõôÞ ôç ìÝèïäï áíáæÞôçóçò,
<quote>ï ðñþôïò êáíüíáò ðïõ ôáéñéÜæåé, åßíáé ï íéêçôÞò</quote>. Áí
ôï ðáêÝôï äåí ôáéñéÜæåé ìå êáíÝíá áðü ôïõò êáíüíåò, èá ëçöèåß áðü ôïí
õðï÷ñåùôéêü ðñïåðéëåãìÝíï êáíüíá ôïõ IPFW, ìå áñéèìü 65535, ï ïðïßïò
åìðïäßæåé ôç äéÝëåõóç üëùí ôùí ðáêÝôùí, êáé ôá áðïññßðôåé ÷ùñßò íá
óôåßëåé êáìéÜ áðÜíôçóç óôïí áñ÷éêü áðïóôïëÝá ôïõò.</para>
<note>
<para>Ç áíáæÞôçóç óõíå÷ßæåôáé ìåôÜ áðü êáíüíåò ôýðïõ
<literal>count</literal>, <literal>skipto</literal> êáé
<literal>tee</literal>.</para>
</note>
<para>Ïé ïäçãßåò ðïõ öáßíïíôáé åäþ, âáóßæïíôáé óôç ÷ñÞóç êáíüíùí ðïõ
ðåñéÝ÷ïõí ôéò ïäçãßåò <literal>keep state</literal>,
<literal>limit</literal>, <literal>in</literal>,
<literal>out</literal> êáé <literal>via</literal>. ÁõôÝò åßíáé êáé
ïé âáóéêÝò ëåéôïõñãßåò ãéá ôçí äüìçóç åíüò firewall ôýðïõ
inclusive ìå stateful ëåéôïõñãßá.</para>
<warning>
<para>Íá äßíåôå ìåãÜëç ðñïóï÷Þ üôáí äïõëåýåôå ìå ôïõò êáíüíåò åíüò
firewall. Ìðïñåß Üèåëá óáò íá êëåéäùèåßôå Ýîù áðü ôï óýóôçìá
óáò.</para>
</warning>
<sect3 id="firewalls-ipfw-rules-syntax">
<title>Óýíôáîç Êáíüíùí</title>
<indexterm>
<primary>IPFW</primary>
<secondary>rule syntax</secondary>
</indexterm>
<para>Óôçí åíüôçôá áõôÞ, èá ðáñïõóéÜóïõìå ìéá áðëïðïéçìÝíç óýíôáîç
êáíüíùí. Äåß÷íïõìå ìüíï üôé ÷ñåéÜæåôáé ãéá íá äçìéïõñãçèåß Ýíá
ôõðïðïéçìÝíï óýíïëï êáíüíùí ãéá Ýíá inclusive firewall. Ãéá ðëÞñç
ðåñéãñáöÞ, äåßôå ôç óåëßäá manual ôïõ &man.ipfw.8;.</para>
<para>Ïé êáíüíåò ðåñéÝ÷ïõí ëÝîåéò-êëåéäéÜ. Ïé ëÝîåéò áõôÝò èá ðñÝðåé
íá êùäéêïðïéçèïýí ìå óõãêåêñéìÝíç óåéñÜ áðü ôá áñéóôåñÜ ðñïò ôá
äåîéÜ ôçò ãñáììÞò. Ïé ëÝîåéò-êëåéäéÜ öáßíïíôáé ðáñáêÜôù ìå Ýíôïíá
ãñÜììáôá. ÌåñéêÝò ëÝîåéò Ý÷ïõí õðï-åðéëïãÝò ïé ïðïßåò ìðïñåß íá
åßíáé åðßóçò ëÝîåéò-êëåéäéÜ êáé íá ðåñéëáìâÜíïõí åðßóçò áêüìá
ðåñéóóüôåñåò õðï-åðéëïãÝò.</para>
<para>Ç áñ÷Þ åíüò ó÷ïëßïõ, óçìáôïäïôåßôáé ìå ôï óýìâïëï
<literal>#</literal>, ôï ïðïßï ìðïñåß íá åìöáíßæåôáé óôï ôÝëïò ìéáò
ãñáììÞò êáíüíá, Þ êáé óå ìéá äéêÞ ôïõ ãñáììÞ. Ïé êåíÝò ãñáììÝò
áãíïïýíôáé.</para>
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
STATEFUL</replaceable></para>
<sect4>
<title>CMD</title>
<para>Ãéá íá ãßíåé ç ðñïóèÞêç åíüò íÝïõ êáíüíá óôïí åóùôåñéêü
ðßíáêá, ôïðïèåôåßôáé ìðñïóôÜ áðü áõôüí ç ðáñÜìåôñïò
<parameter>add</parameter>.</para>
</sect4>
<sect4>
<title>RULE_NUMBER</title>
<para>ÊÜèå êáíüíáò ó÷åôßæåôáé ìå Ýíá áñéèìü êáíüíá (rule_number)
óôçí ðåñéï÷Þ 1..65535.</para>
</sect4>
<sect4>
<title>ACTION</title>
<para>¸íáò êáíüíáò ìðïñåß íá ó÷åôßæåôáé ìå ìéá Þ ðåñéóóüôåñåò
åíÝñãåéåò, ïé ïðïßåò åêôåëïýíôáé üôáí ôï ðáêÝôï ôáéñéÜæåé ìå ôá
êñéôÞñéá åðéëïãÞò áõôïý ôïõ êáíüíá.</para>
<para><parameter>allow | accept | pass |
permit</parameter></para>
<para>¼ëá ôá ðáñáðÜíù Ý÷ïõí ôï ßäéï áðïôÝëåóìá: ôï ðáêÝôï åîÝñ÷åôáé
áðü ôçí óýóôçìá ôïõ firewall. Ç áíáæÞôçóç ãéá ôï óõãêåêñéìÝíï
ðáêÝôï ôåñìáôßæåôáé óå áõôü ôïí êáíüíá.</para>
<para><parameter>check-state</parameter></para>
<para>ÅëÝã÷åé ôï ðáêÝôï ìå âÜóç ôï äõíáìéêü ðßíáêá êáíüíùí. Áí
âñåèåß êáíüíáò ðïõ íá ôáéñéÜæåé, èá åêôåëåóôåß ç åíÝñãåéá ôïõ
êáíüíá ï ïðïßïò äçìéïýñãçóå ôïí óõãêåêñéìÝíï äõíáìéêü êáíüíá.
ÄéáöïñåôéêÜ, ç áíáæÞôçóç óõíå÷ßæåôáé ìå ôïí åðüìåíï êáíüíá.
¸íáò êáíüíáò check-state äåí Ý÷åé êñéôÞñéá åðéëïãÞò. Áí äåí
õðÜñ÷åé êáíüíáò check-state óôï óýíïëï êáíüíùí, ï Ýëåã÷ïò ôïõ
ðßíáêá äõíáìéêþí êáíüíùí îåêéíÜåé áðü ôïí ðñþôï êáíüíá ôýðïõ
keep-state Þ limit.</para>
<para><parameter>deny | drop</parameter></para>
<para>Êáé ïé äýï ëÝîåéò óçìáßíïõí ôï ßäéï ðñÜãìá: ôá ðáêÝôá ðïõ
ôáéñéÜæïõí ìå áõôü ôïí êáíüíá áðïññßðôïíôáé. Ç áíáæÞôçóç
ôåñìáôßæåôáé.</para>
</sect4>
<sect4>
<title>ÊáôáãñáöÞ</title>
<para><parameter>log</parameter> Þ
<parameter>logamount</parameter></para>
<para>¼ôáí Ýíá ðáêÝôï ôáéñéÜæåé ìå Ýíá êáíüíá ðïõ ðåñéÝ÷åé ôç ëÝîç
<literal>log</literal>, ãßíåôáé êáôáãñáöÞ ôïõ ìçíýìáôïò ìÝóù ôïõ
&man.syslogd.8; óôç äõíáôüôçôá SECURITY. Ç êáôáãñáöÞ óõìâáßíåé
ìüíï áí ï áñéèìüò ôùí ðáêÝôùí ðïõ Ý÷åé êáôáãñáöåß ìÝ÷ñé óôéãìÞò
äåí õðåñâáßíåé ôçí ðáñÜìåôñï <literal>logamount</literal>. Áí ç
ðáñÜìåôñïò áõôÞ äåí Ý÷åé êáèïñéóôåß, ôï üñéï ñõèìßæåôáé ìå âÜóç
ôçí ôéìÞ ôçò ìåôáâëçôÞò sysctl
<literal>net.inet.ip.fw.verbose_limit</literal>. Êáé óôéò äýï
ðåñéðôþóåéò, ìéá ìçäåíéêÞ ôéìÞ óçìáßíåé üôé äåí èá õðÜñ÷åé üñéï
óôçí êáôáãñáöÞ. Ìüëéò ç êáôáãñáöÞ öôÜóåé óôï üñéï, ìðïñåß íá
ãßíåé åðáíåíåñãïðïßçóç ôçò ìå ôï ìçäåíéóìü ôïõ ìåôñçôÞ
êáôáãñáöÞò, Þ ôïõ ìåôñçôÞ ãéá ôï óõãêåêñéìÝíï êáíüíá. Äåßôå ôçí
åíôïëÞ <command>ipfw reset log</command>.</para>
<note>
<para>Ç êáôáãñáöÞ ãßíåôáé ìüíï áöïý åðáëçèåõèïýí üëåò ïé Üëëåò
óõíèÞêåò ôáéñéÜóìáôïò ôïõ ðáêÝôïõ, êáé ðñéí ôçí ôåëéêÞ áðïäï÷Þ
Þ áðüññéøç ôïõ. Åßíáé óôç äéêÞ óáò åõ÷Ýñåéá íá áðïöáóßóåôå óå
ðïéïõò êáíüíåò èá åíåñãïðïéÞóåôå ôçí êáôáãñáöÞ.</para>
</note>
</sect4>
<sect4>
<title>ÅðéëïãÞ</title>
<para>Ïé ëÝîåéò-êëåéäéÜ ðïõ ðåñéãñÜöïíôáé óå áõôÞ ôçí åíüôçôá,
÷ñçóéìïðïéïýíôáé ãéá íá ðåñéãñÜøïõí ÷áñáêôçñéóôéêÜ ôïõ ðáêÝôïõ ðïõ
èá ðñÝðåé íá äéåñåõíçèïýí ãéá íá êáèïñéóôåß áí ôï ðáêÝôï ôáéñéÜæåé
Þ ü÷é ìå ôïí êáíüíá. Ç åðéëïãÞ ìðïñåß íá ãßíåé ìå âÜóç ôá
ðáñáêÜôù ãåíéêÞò öýóåùò ÷áñáêôçñéóôéêÜ, ôá ïðïßá êáé èá ðñÝðåé íá
÷ñçóéìïðïéçèïýí ìå ôç óåéñÜ ðïõ öáßíïíôáé:</para>
<para><parameter>udp | tcp | icmp</parameter></para>
<para>Ìðïñïýí åðßóçò íá ÷ñçóéìïðïéçèïýí ôá ðñùôüêïëëá ðïõ
ðåñéÝ÷ïíôáé óôï áñ÷åßï <filename>/etc/protocols</filename>.
Ç ôéìÞ ðïõ êáèïñßæåôáé ÷ñçóéìïðïéåßôáé ãéá ôï ôáßñéáóìá ôïõ
ðñùôïêüëëïõ. Ðñüêåéôáé ãéá õðï÷ñåùôéêÞ ðáñÜìåôñï.</para>
<para><parameter>from src to dst</parameter></para>
<para>Ïé ëÝîåéò <literal>from</literal> êáé <literal>to</literal>
÷ñçóéìïðïéïýíôáé ãéá ôï ôáßñéáóìá IP äéåõèýíóåùí. Ïé êáíüíåò
ðñÝðåé íá êáèïñßæïõí <emphasis>ôüóï</emphasis> ôçí ðçãÞ üóï êáé
ôïí ðñïïñéóìü. Ç ëÝîç <literal>any</literal> ìðïñåß íá
÷ñçóéìïðïéçèåß ãéá ôáßñéáóìá ìå ïðïéáäÞðïôå äéåýèõíóç. Ç ëÝîç
<literal>me</literal> Ý÷åé åðßóçò åéäéêÞ óçìáóßá. ÔáéñéÜæåé ìå
ïðïéáäÞðïôå äéåýèõíóç ðïõ Ý÷åé ñõèìéóôåß óå êÜðïéá äéåðáöÞ ôïõ
óõóôÞìáôïò óáò, áíôéðñïóùðåýïíôáò Ýôóé ôï PC óôï ïðïßï åêôåëåßôáé
ôï firewall. Ìðïñïýí Ýôóé íá ãñáöïýí êáíüíåò ôïõ ôýðïõ
<literal>from me to any</literal> Þ
<literal>from any to me</literal> Þ
<literal>from any to 0.0.0.0/0</literal> Þ
<literal>from 0.0.0.0/0 to me</literal> Þ
<literal>from any to 0.0.0.0</literal> Þ
<literal>from me to 0.0.0.0</literal>. Ïé äéåõèýíóåéò IP
êáèïñßæïíôáé ùò áñéèìçôéêÝò ïêôÜäåò ÷ùñéóìÝíåò ìå ôåëåßåò
êáé áêïëïõèïýíôáé áðü ôï ìÞêïò ôçò ìÜóêáò õðïäéêôýïõ. Ìéá
IP äéåýèõíóç ìðïñåß íá êáèïñßæåôáé ìå áñéèìïýò ðïõ ÷ùñßæïíôáé
ìå ôåëåßåò. Ìðïñåß åðßóçò íá áêïëïõèåßôáé áðü ôï ìÝãåèïò ôçò
ìÜóêáò õðïäéêôýïõ (ìïñöÞ CIDR). Ðñüêåéôáé ãéá õðï÷ñåùôéêÞ
ðáñÜìåôñï. Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ôï âïçèçôéêü ðñüãñáììá
<filename role="package">net-mgmt/ipcalc</filename> ãéá
äéåõêüëõíóç óáò óôïõò õðïëïãéóìïýò. Äåßôå ôçí äéêôõáêÞ ôïðïèåóßá
ôïõ ðñïãñÜììáôïò ãéá ðåñéóóüôåñåò ðëçñïöïñßåò: <ulink
url="http://jodies.de/ipcalc"></ulink>.</para>
<para><parameter>port number</parameter></para>
<para>×ñçóéìïðïéåßôáé óå ðñùôüêïëëá ðïõ õðïóôçñßæïõí áñéèìïýò èõñþí
(üðùò åßíáé ôá <acronym>TCP</acronym> êáé <acronym>UDP</acronym>).
Åßíáé õðï÷ñåùôéêü íá äßíåôáé ï áñéèìüò èýñáò ôçò õðçñåóßáò
ðïõ èÝëåôå íá ôáéñéÜîåôå. Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ôá
ïíüìáôá ôùí õðçñåóéþí (ìðïñåßôå íá ôá âñåßôå óôï áñ÷åßï
<filename>/etc/services</filename>) áíôß ãéá ôïõò êáíïíéêïýò
áñéèìïýò èõñþí.</para>
<para><parameter>in | out</parameter></para>
<para>Ìå ôï ðáñáðÜíù ìðïñåß íá êáèïñéóôåß áí ôï ôáßñéáóìá èá
ãßíåôáé óå åéóåñ÷üìåíá Þ óå åîåñ÷üìåíá ðáêÝôá áíôßóôïé÷á. Åßíáé
õðï÷ñåùôéêü íá Ý÷åôå ùò ìÝñïò ôùí êñéôçñßùí ôïõ êáíüíá óáò, åßôå
ôç ëÝîç <literal>in</literal> åßôå ôç ëÝîç
<literal>out</literal>.</para>
<para><parameter>via IF</parameter></para>
<para>ÔáéñéÜæåé ôá ðáêÝôá ôá ïðïßá äéÝñ÷ïíôáé ìÝóù ôçò äéåðáöÞò ìå
ôï üíïìá ðïõ êáèïñßæåôáé. Ç ëÝîç <literal>via</literal>
åîáóöáëßæåé üôé ôï üíïìá ôçò äéåðáöÞò èá åßíáé ðÜíôá ìÝñïò ôùí
êñéôçñßùí êáôÜ ôç äéáäéêáóßá ôáéñéÜóìáôïò.</para>
<para><parameter>setup</parameter></para>
<para>Ðñüêåéôáé ãéá õðï÷ñåùôéêÞ ðáñÜìåôñï ðïõ áíáãíùñßæåé ôçí
áßôçóç Ýíáñîçò ìéáò óõíåäñßáò ãéá ðáêÝôá
<acronym>TCP</acronym>.</para>
<para><parameter>keep-state</parameter></para>
<para>Ðñüêåéôáé ãéá õðï÷ñåùôéêÞ ðáñÜìåôñï. Ìüëéò õðÜñîåé ôáßñéáóìá,
ôï firewall èá äçìéïõñãÞóåé Ýíá äõíáìéêü êáíüíá, ôïõ ïðïßïõ ç
ðñïåðéëåãìÝíç óõìðåñéöïñÜ åßíáé íá ôáéñéÜæåé åðéêïéíùíßá äéðëÞò
êáôåýèõíóçò ìåôáîý ôçò äéåýèõíóçò IP êáé ôçò èýñáò áöåôçñßáò êáé
ðñïïñéóìïý, ÷ñçóéìïðïéþíôáò ôï ßäéï ðñùôüêïëëï.</para>
<para><parameter>limit {src-addr | src-port | dst-addr |
dst-port}</parameter></para>
<para>Ôï firewall èá åðéôñÝøåé ìüíï <replaceable>N</replaceable>
ðëÞèïò óõíäÝóåùí ìå ôéò ðáñáìÝôñïõò ðïõ ðåñéãñÜöïíôáé óå áõôü
ôïí êáíüíá. Ìðïñïýí íá êáèïñéóôïýí ðåñéóóüôåñåò áðü ìéá
äéåõèýíóåéò êáé ðüñôåò áöåôçñßáò êáé ðñïïñéóìïý. Äåí ìðïñïýí
íá ÷ñçóéìïðïéçèïýí óôïí ßäéï êáíüíá ïé ðáñÜìåôñïé
<literal>limit</literal> êáé <literal>keep-state</literal>.
Ç åðéëïãÞ <literal>limit</literal> ðáñÝ÷åé ôçí ßäéá ëåéôïõñãßá
stateful ìå ôçí <literal>keep-state</literal>, êáèþò êáé
åðéðñüóèåôåò äéêÝò ôçò ëåéôïõñãßåò.</para>
</sect4>
</sect3>
<sect3>
<title>ÅðéëïãÞ ãéá Stateful Êáíüíåò</title>
<indexterm>
<primary>IPFW</primary>
<secondary>stateful filtering</secondary>
</indexterm>
<!-- XXX: duplicated -->
<para>Ôï stateful öéëôñÜñéóìá, áíôéìåôùðßæåé ôçí êßíçóç ôïõ äéêôýïõ ùò
äéðëÞò êáôåýèõíóçò áíôáëëáãÞ ðáêÝôùí ôá ïðïßá äçìéïõñãïýí ìéá
óõíåäñßá. ¸÷åé åðßóçò ôç äõíáôüôçôá íá äéåñåõíÞóåé áí ôçñïýíôáé
ïé Ýãêõñïé êáíüíåò áíôáëëáãÞò ìçíõìÜôùí ìåôáîý ôïõ áðïóôïëÝá êáé
ôïõ ðáñáëÞðôç. ÏðïéáäÞðïôå ðáêÝôá äåí ôáéñéÜæïõí ìå ôï ðñüôõðï
áõôÞò ôçò åðéêïéíùíßáò, áðïññßðôïíôáé ùò øåýôéêá.</para>
<para>Ç åðéëïãÞ <literal>check-state</literal> ÷ñçóéìïðïéåßôáé ãéá
íá áíáãíùñéóôåß óå ðïéï óçìåßï ôïõ óõíüëïõ êáíüíùí ôïõ IPFW èá
åëåã÷èåß ôï ðáêÝôï ìå âÜóç ôç äõíáôüôçôá ôùí äõíáìéêþí êáíüíùí.
Óå ðåñßðôùóç ôáéñéÜóìáôïò, ôï ðáêÝôï åîÝñ÷åôáé áðü ôï firewall êáé
óõíå÷ßæåé ôçí ðïñåßá ôïõ, åíþ ôçí ßäéá óôéãìÞ äçìéïõñãåßôáé Ýíáò
íÝïò äõíáìéêüò êáíüíáò ãéá ôï åðüìåíï ðáêÝôï ðïõ áíáìÝíåôáé íá
Ýñèåé ìå âÜóç ôç óõãêåêñéìÝíç äéðëÞò êáôåýèõíóçò åðéêïéíùíßá. Óå
ðåñßðôùóç ðïõ ôï ðáêÝôï äåí ôáéñéÜæåé ìå ôï äõíáìéêü êáíüíá, èá
ðñï÷ùñÞóåé ãéá íá åëåã÷èåß áðü ôïí åðüìåíï êáíüíá ôïõ
firewall.</para>
<para>Ç äõíáôüôçôá äõíáìéêþí êáíüíùí åßíáé åõÜëùôç óå åîÜíôëçóç ðüñùí
óå ðåñßðôùóç åðßèåóçò õðåñ÷åßëéóçò (flood) SYN. Ç åðßèåóç áõôÞ
ìðïñåß íá äçìéïõñãÞóåé ðïëý ìåãÜëï ðëÞèïò äõíáìéêþí êáíüíùí.
Ãéá ôçí áíôéìåôþðéóç ìéáò ôÝôïéáò åðßèåóçò, ôï &os; ÷ñçóéìïðïéåß
ìéá áêüìá åðéëïãÞ ðïõ ïíïìÜæåôáé <literal>limit</literal>.
Ç åðéëïãÞ áõôÞ ìðïñåß íá ðåñéïñßóåé ôïí áñéèìü ôùí ôáõôü÷ñïíùí
óõíåäñéþí, åîåôÜæïíôáò ôá ðåäßá áöåôçñßáò êáé ðñïïñéóìïý ôùí
êáíüíùí. Áíé÷íåýåé ìå áõôü ôïí ôñüðï ôï ðëÞèïò ôùí äõíáìéêþí
êáíüíùí êáé ðüóåò öïñÝò Ý÷åé ÷ñçóéìïðïéçèåß ï êáèÝíáò áðü
ôç óõãêåêñéìÝíç IP äéåýèõíóç. Áí ï áñéèìüò áõôüò îåðåñíÜåé ôï
üñéï ðïõ Ý÷åé ôåèåß ìå ôçí åðéëïãÞ <literal>limit</literal>, ôï
ðáêÝôï áðïññßðôåôáé.</para>
</sect3>
<sect3>
<title>ÊáôáãñáöÞ ÌçíõìÜôùí ôïõ Firewall</title>
<indexterm>
<primary>IPFW</primary>
<secondary>logging</secondary>
</indexterm>
<para>Ôá ðëåïíåêôÞìáôá ôçò êáôáãñáöÞò óõìâÜíôùí ôïõ firewall, åßíáé
ðñïöáíÞ: ðáñÝ÷ïõí ôç äõíáôüôçôá íá äåßôå ãéá ðïéï ëüãï
åíåñãïðïéÞèçêáí ïé êáíüíåò óôïõò ïðïßïõò Ý÷åôå åíåñãïðïéÞóåé ôçí
êáôáãñáöÞ. Ïé ðëçñïöïñßåò ðåñéëáìâÜíïõí ôá ðáêÝôá ðïõ áðïññßöèçêáí,
ôéò äéåõèýíóåéò áðü ôéò ïðïßåò ðñïÞëèáí êáé ðïõ êáôåõèýíïíôáí.
Ìå áõôü ôïí ôñüðï, Ý÷åôå Ýíá óçìáíôéêü ðëåïíÝêôçìá óôçí áíß÷íåõóç
ôùí åéóâïëÝùí.</para>
<para>Áêüìá êáé áí åíåñãïðïéÞóåôå ôç ëåéôïõñãßá êáôáãñáöÞò, ôï IPFW
äåí èá áñ÷ßóåé áðü ìüíï ôïõ ôçí êáôáãñáöÞ ãéá êáíÝíá êáíüíá.
Ï äéá÷åéñéóôÞò ôïõ firewall èá áðïöáóßóåé óå ðïéïõò áðü üëïõò ôïõò
êáíüíåò èá åíåñãïðïéÞóåé ôçí êáôáãñáöÞ, êáé èá ðñïóèÝóåé ôçí
ëÝîç <literal>log</literal> óôçí áíôßóôïé÷ç êáôá÷þñéóç.
ÖõóéïëïãéêÜ, ãßíåôáé êáôáãñáöÞ ìüíï ãéá êáíüíåò ðïõ áðïññßðôïõí
ðáêÝôá (êáíüíåò <literal>deny</literal>), üðùò ãéá ðáñÜäåéãìá ï
êáíüíáò áðüññéøçò ôùí åéóåñ÷üìåíùí <acronym>ICMP</acronym> pings.
Åßíáé êïéíÞ ðñáêôéêÞ, íá áíôéãñÜöåôáé óôï ôÝëïò ôùí êáíüíùí ï
êáíüíáò <quote>ipfw default deny everything</quote> êáé íá
ðñïóôßèåôáé óå áõôüí ç åðéëïãÞ <literal>log</literal>.
Ìå ôïí ôñüðï áõôü, ìðïñåßôå íá äåßôå üëá ôá ðáêÝôá ðïõ äåí
ôáßñéáîáí ìå êáíÝíá êáíüíá ôïõ óõíüëïõ.</para>
<para>Ç êáôáãñáöÞ óõìâÜíôùí åßíáé äßêïðï ìá÷áßñé. Áí äåí åßóôå
ðñïóåêôéêüò, èá ÷áèåßôå ìÝóá óôï ðëÞèïò ôùí äåäïìÝíùí ôçò
êáôáãñáöÞò êáé èá ãåìßóåôå ôï äßóêï óáò ìå Ü÷ñçóôá áñ÷åßá. Ïé ðéï
ðáëéÝò êáé êïéíÝò åðéèÝóåéò ôýðïõ Üñíçóçò õðçñåóßáò (DoS), åßíáé
áõôÝò ðïõ ðñïóðáèïýí íá ãåìßóïõí ôïõò äßóêïõò óáò. Ôá ìçíýìáôá
áõôÜ ü÷é ìüíï êáôáãñÜöïíôáé óôï <application>syslogd</application>,
áëëÜ åìöáíßæïíôáé êáé óôçí êïíóüëá ôïõ óõóôÞìáôïò óáò, êáé óýíôïìá
ãßíïíôáé ðïëý åíï÷ëçôéêÜ.</para>
<para>Ç åðéëïãÞ <literal>IPFIREWALL_VERBOSE_LIMIT=5</literal> óôïí
ðõñÞíá, ðåñéïñßæåé ôïí áñéèìü ôùí óõíå÷üìåíùí üìïéùí ìçíõìÜôùí ðïõ
óôÝëíïíôáé óôïí êáôáãñáöÝá óõóôÞìáôïò &man.syslogd.8; ó÷åôéêÜ ìå
ôï ôáßñéáóìá ðáêÝôùí åíüò óõãêåêñéìÝíïõ êáíüíá. ¼ôáí åíåñãïðïéåßôáé
áõôÞ ç åðéëïãÞ óôïí ðõñÞíá, ï áñéèìüò ôùí óõíå÷üìåíùí ìçíõìÜôùí
åíüò óõãêåêñéìÝíïõ êáíüíá, óôáìáôÜåé ìåôÜ ôïí áñéèìü ðïõ
êáèïñßæåôáé. Äåí õðÜñ÷åé êáíÝíá üöåëïò áðü 200 óõíå÷üìåíá ìçíýìáôá
ìå ôï ßäéï áêñéâþò ðåñéå÷üìåíï. Ãéá ðáñÜäåéãìá, ðÝíôå óõíå÷üìåíá
ìçíýìáôá ãéá Ýíá óõãêåêñéìÝíï êáíüíá èá êáôáãñÜöïíôáí êáíïíéêÜ óôï
<application>syslogd</application>. Ôá õðüëïéðá üìïéá ìçíýìáôá èá
êáôáìåôñçèïýí êáé èá êáôáãñáöïýí üðùò öáßíåôáé ðáñáêÜôù:</para>
<programlisting>last message repeated 45 times</programlisting>
<para>¼ëá ôá ìçíýìáôá êáôáãñáöÞò ôùí ðáêÝôùí, ãñÜöïíôáé áðü ðñïåðéëïãÞ
óôï áñ÷åßï <filename>/var/log/security</filename> ôï ïðïßï
êáèïñßæåôáé óôï áñ÷åßï <filename>/etc/syslog.conf</filename>.</para>
</sect3>
<sect3 id="firewalls-ipfw-rules-script">
<title>Äçìéïõñãßá Åíüò Script Êáíüíùí</title>
<para>Ïé ðåñéóóüôåñïé Ýìðåéñïé ÷ñÞóôåò ôïõ IPFW, äçìéïõñãïýí Ýíá
áñ÷åßï ðïõ ðåñéÝ÷åé ôïõò êáíüíåò êáé ôï ãñÜöïõí ìå ôÝôïéï ôñüðï
þóôå íá íá ìðïñåß íá åêôåëåóôåß ùò script. Ôï âáóéêü ðëåïíÝêôçìá
ôïõ ðáñáðÜíù ôñüðïõ, åßíáé üôé ïé êáíüíåò ôïõ firewall ìðïñïýí íá
áíáíåùèïýí ÷ùñßò ôçí áíÜãêç íá åðáíåêêéíÞóåé ôï óýóôçìá ãéá íá
öïñôùèïýí ïé íÝïé. Ç ìÝèïäïò áõôÞ åßíáé ðïëý âïëéêÞ ãéá
ôçí äïêéìÞ íÝùí êáíüíùí, êáèþò ç äéáäéêáóßá ìðïñåß íá åðáíáëçöèåß
üóåò öïñÝò ÷ñåéÜæåôáé. Êáèþò ðñüêåéôáé ãéá êáíïíéêü script,
ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå óõìâïëéêÞ õðïêáôÜóôáóç ãéá íá
êùäéêïðïéÞóåôå êáé íá õðïêáôáóôÞóåôå óõ÷íÜ ÷ñçóéìïðïéïýìåíåò ôéìÝò
óå ðïëëáðëïýò êáíüíåò. Áõôü öáßíåôáé óôï ðáñáêÜôù
ðáñÜäåéãìá.</para>
<para>Ç óýíôáîç ðïõ ÷ñçóéìïðïéåßôáé åäþ, åßíáé óõìâáôÞ ìå ôá êåëýöç
&man.sh.1;, &man.csh.1; êáé &man.tcsh.1;. ÌðñïóôÜ áðü ôá ðåäßá
ôçò óõìâïëéêÞò õðïêáôÜóôáóçò, õðÜñ÷åé ôï óÞìá ôïõ äïëáñßïõ,
$. Ôï óýìâïëï áõôü äåí õðÜñ÷åé ìðñïóôÜ áðü ôá óõìâïëéêÜ
ðåäßá. Ç ôéìÞ ðïõ èá áðïäïèåß óôï óõìâïëéêü ðåäßï, ðñÝðåé íá
åóùêëåßåôáé óå äéðëÜ åéóáãùãéêÜ.</para>
<para>ÎåêéíÞóôå ôï áñ÷åßï ôùí êáíüíùí óáò üðùò öáßíåôáé
ðáñáêÜôù:</para>
<programlisting>############### start of example ipfw rules script #############
#
ipfw -q -f flush # Delete all rules
# Set defaults
oif="tun0" # out interface
odns="192.0.2.11" # ISP's DNS server IP address
cmd="ipfw -q add " # build rule prefix
ks="keep-state" # just too lazy to key this each time
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ############</programlisting>
<para>Áõôü åßíáé üëï. Óôï ðáñÜäåéãìá áõôü äåí åßíáé óçìáíôéêïß ïé
êáíüíåò, áëëÜ ï ôñüðïò ìå ôïí ïðïßï ëåéôïõñãïýí êáé ðáßñíïõí ôéìÝò
ôá ðåäßá óõìâïëéêÞò õðïêáôÜóôáóçò.</para>
<para>Áí ôï ðáñáðÜíù ðáñÜäåéãìá Þôáí óôï áñ÷åßï
<filename>/etc/ipfw.rules</filename> èá ìðïñïýóáôå íá öïñôþóåôå
áõôïýò ôïõò êáíüíåò, ãñÜöïíôáò ôçí ðáñáêÜôù åíôïëÞ:</para>
<screen>&prompt.root; <userinput>sh /etc/ipfw.rules</userinput></screen>
<para>Ôï áñ÷åßï <filename>/etc/ipfw.rules</filename> ìðïñåß íá
âñßóêåôáé óå üðïéï êáôÜëïãï èÝëåôå, êáé íá ïíïìÜæåôáé åðßóçò üðùò
èÝëåôå.</para>
<para>Èá ìðïñïýóáôå íá åðéôý÷åôå ôï ßäéï ðñÜãìá, åêôåëþíôáò ôéò
ðáñáêÜôù åíôïëÝò ÷åéñïêßíçôá:</para>
<screen>&prompt.root; <userinput>ipfw -q -f flush</userinput>
&prompt.root; <userinput>ipfw -q add check-state</userinput>
&prompt.root; <userinput>ipfw -q add deny all from any to any frag</userinput>
&prompt.root; <userinput>ipfw -q add deny tcp from any to any established</userinput>
&prompt.root; <userinput>ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state</userinput>
&prompt.root; <userinput>ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state</userinput>
&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
</sect3>
<sect3>
<title>Óýíïëï Êáíüíùí Stateful</title>
<para>Ôï ðáñáêÜôù óýíïëï êáíüíùí (ðïõ äåí ðåñéÝ÷åé êáíüíåò ãéá
<acronym>NAT</acronym>) åßíáé Ýíá ðáñÜäåéãìá ãñáöÞò åíüò inclusive
firewall. ¸íá inclusive firewall åðéôñÝðåé ôçí åßóïäï ìüíï ôùí
ðáêÝôùí ðïõ ôáéñéÜæïõí ìå ôïõò êáíüíåò áðïäï÷Þò (pass) êáé
áðïññßðôåé áðü ðñïåðéëïãÞ üëá ôá Üëëá. Ôá firewalls ðïõ Ý÷ïõí
ó÷åäéáóôåß íá ðñïóôáôåýïõí ïëüêëçñá äßêôõá, äéáèÝôïõí ôï ëéãüôåñï
äýï äéåðáöÝò, óôéò ïðïßåò ðñÝðåé íá õðÜñ÷ïõí êáíüíåò þóôå ôï
firewall íá ëåéôïõñãåß.</para>
<para>¼ëá ôá ëåéôïõñãéêÜ óõóôÞìáôá ôýðïõ &unix;, óõìðåñéëáìâáíïìÝíïõ
êáé ôïõ &os;, Ý÷ïõí ó÷åäéáóôåß íá ÷ñçóéìïðïéïýí ôç äéåðáöÞ
<devicename>lo0</devicename> êáé ôç äéåýèõíóç IP
<hostid role="ipaddr">127.0.0.1</hostid> ãéá åóùôåñéêÞ åðéêïéíùíßá
ìå ôï ëåéôïõñãéêü óýóôçìá. Ôï firewall ðñÝðåé íá ðåñéÝ÷åé êáíüíåò
ðïõ íá åðéôñÝðïõí ôçí áðñüóêïðôç êßíçóç áõôþí ôùí åéäéêþí, ãéá
åóùôåñéêÞ ÷ñÞóç, ðáêÝôùí.</para>
<para>Ïé êáíüíåò ðïõ ïñßæïõí ôçí ðñüóâáóç åéóåñ÷üìåíùí êáé
åîåñ÷üìåíùí ðáêÝôùí, ãñÜöïíôáé ãéá ôç äéåðáöÞ ðïõ óõíäÝåôáé óôï
äçìüóéï Internet. Ç äéåðáöÞ áõôÞ ìðïñåß íá åßíáé ãéá ðáñÜäåéãìá ç
<devicename>tun0</devicename> (óå ðåñßðôùóç ðïõ ÷ñçóéìïðïéåßôå ôï
<acronym>PPP</acronym> ÷ñÞóôç), Þ ç êÜñôá äéêôýïõ ðïõ óõíäÝåôáé óôï
êáëùäéáêü Þ DSL modem óáò.</para>
<para>Óå ðåñßðôùóç ðïõ ìéá Þ ðåñéóóüôåñåò êÜñôåò äéêôýïõ óõíäÝïíôáé óå
åóùôåñéêÜ éäéùôéêÜ äßêôõá ðßóù áðü ôï firewall, èá ðñÝðåé íá
õðÜñ÷ïõí ïé áíôßóôïé÷ïé êáíüíåò ðïõ íá åðéôñÝðïõí ôçí åëåýèåñç
äéáêßíçóç ôùí ðáêÝôùí áíÜìåóá óôéò äéåðáöÝò áõôÝò Þ/êáé óôï
Internet.</para>
<para>Ïé êáíüíåò ðñÝðåé íá ïñãáíþíïíôáé óå ôñåéò êýñéåò åíüôçôåò:
áñ÷éêÜ üëåò ïé äéåðáöÝò óôéò ïðïßåò åðéôñÝðåôáé ç åëåýèåñç äéáêßíçóç
äåäïìÝíùí, Ýðåéôá ç äéåðáöÞ áðü ôçí ïðïßá åîÝñ÷ïíôáé ôá ðáêÝôá ðñïò
ôï äçìüóéï äßêôõï (Internet) êáé ôÝëïò ç äéåðáöÞ áðü ôçí ïðïßá
ëáìâÜíïíôáé ðáêÝôá áðü ôï Internet.</para>
<para>Óå êÜèå ìéá áðü ôéò åíüôçôåò ôùí äéåðáöþí ðïõ óõíäÝïíôáé óôï
Internet, ðñÝðåé íá ôïðïèåôïýíôáé ðñþôïé ïé êáíüíåò ðïõ ôáéñéÜæïõí
óõ÷íüôåñá ìå ôçí áíôßóôïé÷ç êßíçóç. Ï ôåëåõôáßïò êáíüíáò ôçò
åíüôçôáò èá ðñÝðåé íá áðïññßðôåé êáé íá êáôáãñÜöåé üëá ôá ðáêÝôá
ôçò óõãêåêñéìÝíçò äéåðáöÞò/êáôåýèõíóçò.</para>
<para>Ç åíüôçôá åîåñ÷ïìÝíùí (Outbound) óôï óýíïëï êáíüíùí ðïõ öáßíåôáé
ðáñáêÜôù, ðåñéÝ÷åé ìüíï êáíüíåò ôýðïõ <literal>allow</literal>. Ïé
êáíüíåò áõôïß ðåñéÝ÷ïõí óõãêåêñéìÝíåò åðéëåãìÝíåò ôéìÝò, ìå ôéò
ïðïßåò áíáãíùñßæåôáé ìå ìïíáäéêü ôñüðï ç õðçñåóßá óôçí ïðïßá
åðéôñÝðåôáé ç ðñüóâáóç áðü ôï äçìüóéï Internet. ¼ëïé ïé êáíüíåò
Ý÷ïõí ôéò åðéëïãÝò <literal>proto</literal>,
<literal>port</literal>, <literal>in/out</literal> êáé
<literal>keep-state</literal>. Ïé êáíüíåò ôýðïõ
<literal>proto tcp</literal> ðåñéÝ÷ïõí ôçí åðéëïãÞ
<literal>setup</literal> ãéá ôçí áíáãíþñéóç ôïõ ðáêÝôïõ Ýíáñîçò ôçò
óõíåäñßáò, þóôå íá ãßíåé ç êáôá÷þñéóç ôçò óôïí ðßíáêá óõíäÝóåùí
(stateful).</para>
<para>Óôçí åíüôçôá ôùí åéóåñ÷üìåíùí ðáêÝôùí (Inbound) ðïõ öáßíåôáé
ðáñáêÜôù, åìöáíßæïíôáé ðñþôïé ïé êáíüíåò ðïõ ÷ñçóéìïðïéïýíôáé ãéá
ôçí áðüññéøç ôùí áíåðéèýìçôùí ðáêÝôùí. Áõôü ãßíåôáé ãéá äýï
äéáöïñåôéêïýò ëüãïõò. Ï ðñþôïò åßíáé üôé ôá êáêüâïõëá ðáêÝôá
ìðïñåß åí ìÝñåé íá ôáéñéÜæïõí ìå êÜðïéá ÷áñáêôçñéóôéêÜ ôçò Ýãêõñçò
êßíçóçò. Ôá ðáêÝôá áõôÜ èá ðñÝðåé íá áðïññéöèïýí, áíôß íá ãßíïõí
äåêôÜ áðü êÜðïéï åðüìåíï êáíüíá <literal>allow</literal>.
Ï äåýôåñïò åßíáé üôé ìðïñåßôå íá áðïññßøåôå óõãêåêñéìÝíá ðáêÝôá ôá
ïðïßá ãíùñßæåôå üôé äåí åßíáé Ýãêõñá, áëëÜ óáò åßíáé áäéÜöïñç ç
êáôáãñáöÞ ôïõò. Ìå ôïí ôñüðï áõôü åìðïäßæåôáé ç ëÞøç êáé êáôáãñáöÞ
ôïõò áðü ôïí ôåëåõôáßï êáíüíá. Ï ôåëåõôáßïò êáíüíáò ôõðéêÜ
áðïññßðôåé êáé êáôáãñÜöåé üëá ôá ðáêÝôá ðïõ Ýöôáóáí ìÝ÷ñé áõôüí.
Ï êáíüíáò áõôüò ÷ñçóéìïðïéåßôáé ãéá ôçí ðáñï÷Þ íïìéêþí áðïäåßîåùí
óå ðåñßðôùóç ðïõ êéíÞóåôå íïìéêÞ äéáäéêáóßá êáôÜ áôüìùí ðïõ
ðñïÝâçóáí óå åðéèÝóåéò óôï óýóôçìá óáò.</para>
<para>Èá ðñÝðåé åðßóçò íá åîáóöáëßóåôå üôé ôï óýóôçìá óáò äåí èá
äþóåé êáìéÜ áðÜíôçóç óå êáíÝíá áðü ôá áíåðéèýìçôá ðáêÝôá.
Ôá ðáêÝôá áõôÜ èá ðñÝðåé íá áðïññéöèïýí êáé íá åîáöáíéóôïýí.
Ìå ôïí ôñüðï áõôü, ï åðéôéèÝìåíïò äåí Ý÷åé êáìéÜ ãíþóç áí ôá ðáêÝôá
ôïõ Ýöôáóáí ìÝ÷ñé ôï óýóôçìá óáò. ¼óï ëéãüôåñá ìðïñïýí íá ìÜèïõí
ïé åðéôéèÝìåíïé ó÷åôéêÜ ìå ôï óýóôçìá óáò, ôüóï ðéï áóöáëÝò
åßíáé. ¼ôáí åêôåëåßôå êáôáãñáöÞ ðáêÝôùí ìå áñéèìïýò èõñþí ðïõ äåí
áíáãíùñßæåôå, êïéôÜîôå óôï áñ÷åßï
<filename>/etc/services/</filename> Þ äåßôå ôï <ulink
url="http://www.securitystats.com/tools/portsearch.php"></ulink>
êáé áíáæçôÞóôå ôïí áñéèìü ôçò èýñáò ãéá íá äåßôå ðïéïò åßíáé ï
óêïðüò ôçò. ÅëÝãîôå ôçí ðáñáêÜôù ôïðïèåóßá ãéá ôïõò áñéèìïýò èõñþí
ðïõ ÷ñçóéìïðïéïýíôáé óõ÷íÜ áðü êáêüâïõëá ðñïãñÜììáôá (Trojans):
<ulink url="http://www.simovits.com/trojans/trojans.html"></ulink>.</para>
</sect3>
<sect3>
<title>¸íá Õðüäåéãìá Óõíüëïõ Êáíüíùí Inclusive</title>
<para>Ôï ðáñáêÜôù óýíïëï êáíüíùí (óôï ïðïßï äåí õëïðïéåßôáé ëåéôïõñãßá
<acronym>NAT</acronym>) åßíáé áñêåôÜ ðëÞñåò êáé ðïëý áóöáëÝò.
Äçìéïõñãåß firewall ôýðïõ inclusive, êáé Ý÷åé äïêéìáóôåß óå
ðñáãìáôéêÝò óõíèÞêåò ëåéôïõñãßáò. Ìðïñåß íá åîõðçñåôÞóåé ôï ßäéï
êáëÜ êáé ôï äéêü óáò óýóôçìá. Áðëþò ìåôáôñÝøôå óå ó÷üëéï ôïõò
êáíüíåò <literal>pass</literal> ãéá ôéò õðçñåóßåò ðïõ äåí èÝëåôå
íá åíåñãïðïéÞóåôå. Ãéá íá áðïöýãåôå ôçí êáôáãñáöÞ áíåðéèýìçôùí
ìçíõìÜôùí, áðëþò ðñïóèÝóôå Ýíá êáíüíá ôýðïõ
<literal>deny</literal> óôçí åíüôçôá ôùí åéóåñ÷ïìÝíùí. Óå üëïõò
ôïõò êáíüíåò, Èá ðñÝðåé íá áëëÜîåôå ôï üíïìá ôçò äéåðáöÞò áðü
<devicename>dc0</devicename> óôï ðñáãìáôéêü üíïìá ôçò äéåðáöÞò ðïõ
óõíäÝåôáé óôï äçìüóéï Internet. Óå ðåñßðôùóç ðïõ ÷ñçóéìïðïéåßôå ôï
<acronym>PPP</acronym> ÷ñÞóôç, ôï üíïìá ôçò äéåðáöÞò èá åßíáé
<devicename>tun0</devicename>.</para>
<para>Èá äéáðéóôþóåôå üôé õðÜñ÷åé ìéá óõãêåêñéìÝíç ëïãéêÞ óôç ÷ñÞóç
áõôþí ôùí êáíüíùí.</para>
<itemizedlist>
<listitem>
<para>¼ëïé ïé êáíüíåò ðïõ áðïôåëïýí áßôçóç ãéá Ýíáñîç ìéáò íÝáò
óõíåäñßáò ìå ôï äçìüóéï Internet, ÷ñçóéìïðïéïýí ôçí åðéëïãÞ
<literal>keep-state</literal>.</para>
</listitem>
<listitem>
<para>¼ëåò ïé äéáðéóôåõìÝíåò õðçñåóßåò ðïõ ðñïÝñ÷ïíôáé áðü ôï
äçìüóéï Internet, äéáèÝôïõí ôçí åðéëïãÞ
<literal>limit</literal>, ãéá ôçí áðïöõãÞ åðéèÝóåùí
õðåñ÷åßëéóçò (flooding).</para>
</listitem>
<listitem>
<para>¼ëïé ïé êáíüíåò ÷ñçóéìïðïéïýí ôéò åðéëïãÝò
<literal>in</literal> Þ <literal>out</literal> ãéá íá
äéåõêñéíßæïõí ôçí êáôåýèõíóç ôçò åðéêïéíùíßáò.</para>
</listitem>
<listitem>
<para>¼ëïé ïé êáíüíåò ÷ñçóéìïðïéïýí ôçí åðéëïãÞ
<literal>via <replaceable>üíïìá-äéåðáöÞò</replaceable></literal>
ãéá íá êáèïñßóïõí ôç äéåðáöÞ áðü ôçí ïðïßá äéÝñ÷åôáé ôï
ðáêÝôï.</para>
</listitem>
</itemizedlist>
<para>Ïé êáíüíåò ðïõ öáßíïíôáé ðáñáêÜôù, èá ðñÝðåé íá ãñáöïýí óôï
<filename>/etc/ipfw.rules</filename>.</para>
<programlisting>################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Check session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This rule is not needed for .user ppp. connection to the public Internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif
# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################</programlisting>
</sect3>
<sect3>
<title>¸íá Õðüäåéãìá <acronym>NAT</acronym> ìå Stateful Óýíïëï
Êáíüíùí</title>
<indexterm>
<primary>NAT</primary>
<secondary>and IPFW</secondary>
</indexterm>
<para>Ãéá íá åíåñãïðïéçèåß ç ëåéôïõñãßá <acronym>NAT</acronym> óôï
IPFW, ÷ñåéÜæïíôáé êÜðïéåò åðéðëÝïí ñõèìßóåéò. Èá ðñÝðåé íá
ðñïóèÝóåôå ôçí åðéëïãÞ <literal>option IPDIVERT</literal> ìáæß ìå
ôéò õðüëïéðåò åðéëïãÝò ãéá ôï IPFIREWALL óôï áñ÷åßï ñõèìßóåùí ôïõ
ðõñÞíá. Èá ðñÝðåé Ýðåéôá íá ìåôáãëùôôßóåôå êáé íá åãêáôáóôÞóåôå
ôï íÝï óáò ðñïóáñìïóìÝíï ðõñÞíá.</para>
<para>Åêôüò áðü ôéò óõíçèéóìÝíåò åðéëïãÝò ãéá ôï IPFW, èá ðñÝðåé íá
ðñïóèÝóåôå êáé ôéò ðáñáêÜôù óôï áñ÷åßï
<filename>/etc/rc.conf</filename>:</para>
<programlisting>natd_enable="YES" # Enable <acronym>NAT</acronym>D function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible</programlisting>
<para>Ç ÷ñÞóç êáíüíùí stateful ìáæß ìå ôïí êáíüíá
<literal>divert natd</literal> (NAT), ðåñéðëÝêåé ðïëý ôçí ëïãéêÞ
óõããñáöÞò ôùí êáíüíùí. Ç èÝóç åìöÜíéóçò ôùí êáíüíùí
<literal>check-state</literal> êáé <literal>divert natd</literal>
ìÝóá óôï óýíïëï êáíüíùí ãßíåôáé ðïëý êñßóéìç. Äåí ðñüêåéôáé ðëÝïí
ãéá áðëÞ ëïãéêÞ ðåñÜóìáôïò áðü ôïí Ýíá êáíüíá óôïí åðüìåíï.
×ñçóéìïðïéåßôáé Ýíá íÝï åßäïò åíÝñãåéáò ðïõ ïíïìÜæåôáé
<literal>skipto</literal>. Ãéá íá ÷ñçóéìïðïéçèåß ç åíôïëÞ
<literal>skipto</literal>, åßíáé õðï÷ñåùôéêü íá Ý÷åôå áñéèìÞóåé ôïõò
êáíüíåò, þóôå íá îÝñåôå óå ðïéï êáíüíá èá êáôáëÞîåé ôï Üëìá ðïõ èá
åêôåëåóôåß áðü ôçí åíôïëÞ áõôÞ.</para>
<para>ÐáñáêÜôù èá âñåßôå Ýíá õðüäåéãìá (÷ùñßò ðñüóèåôá ó÷üëéá) ìéáò
ìåèüäïõ óõããñáöÞò ðïõ åðéëÝîáìå åäþ ãéá íá åîçãÞóïõìå ôçí áêïëïõèßá
ñïÞò ôïõ ðáêÝôïõ ìÝóá óôï óýíïëï êáíüíùí.</para>
<para>Ç ñïÞ ôçò åðåîåñãáóßáò îåêéíÜåé ìå ôïí ðñþôï áðü ôçí êïñõöÞ
êáíüíá êáé óõíå÷ßæåé Ýíá êáíüíá êÜèå öïñÜ ðñïò ôá êÜôù, åßôå ìÝ÷ñé
íá öôÜóåé ôïí ôåëåõôáßï, Þ ìÝ÷ñé ôï ðáêÝôï íá ôáéñéÜîåé ìå ôá
êñéôÞñéá åðéëïãÞò êÜðïéïõ êáíüíá êáé íá åëåõèåñùèåß áðü ôï firewall.
Åßíáé óçìáíôéêü íá ðáñáôçñÞóïõìå ôç èÝóç ôùí êáíüíùí ìå áñéèìïýò
100, 101, 450, 500 êáé 510. Ïé êáíüíåò áõôïß åëÝã÷ïõí ôçí
ìåôÜöñáóç ôùí åîåñ÷üìåíùí êáé åéóåñ÷üìåíùí ðáêÝôùí, þóôå ïé
êáôá÷ùñÞóåéò ôïõò óôï äõíáìéêü ðßíáêá êáôáóôÜóåùí íá ðåñéÝ÷ïõí
ðÜíôá ôçí éäéùôéêÞ IP äéåýèõíóç ôïõ ôïðéêïý äéêôýïõ. ÐáñáôçñÞóôå
åðßóçò üôé üëïé ïé êáíüíåò allow êáé deny êáèïñßæïõí ôçí êáôåýèõíóç
êßíçóçò ôïõ ðáêÝôïõ êáèþò êáé ôçí äéåðáöÞ. Åðßóçò, üëåò ïé
åîåñ÷üìåíåò áéôÞóåéò ãéá íÝåò óõíåäñßåò ìåôáöÝñïíôáé áðåõèåßáò
(ìÝóù ôïõ <literal>skipto rule 500</literal>) óôïí êáíüíá 500 ãéá
íá ãßíåé ç ìåôÜöñáóç äéåõèýíóåùí äéêôýïõ (NAT).</para>
<para>Áò õðïèÝóïõìå üôé Ýíá ÷ñÞóôçò ôïõ ôïðéêïý äéêôýïõ ÷ñçóéìïðïéåß
ôïí öõëëïìåôñçôÞ ôïõ ãéá íá äåé ìéá éóôïóåëßäá. Ïé éóôïóåëßäåò
÷ñçóéìïðïéïýí ôçí ðüñôá 80 ãéá ôçí åðéêïéíùíßá. Ôï ðáêÝôï
åéóÝñ÷åôáé óôï firewall. Äåí ôáéñéÜæåé ìå ôïí êáíüíá 100 ãéáôß
åßíáé åîåñ÷üìåíï êáé ü÷é åéóåñ÷üìåíï. ÐåñíÜåé ôïí êáíüíá 101 ãéáôß
ðñüêåéôáé ãéá íÝá åðéêïéíùíßá êáé Ýôóé äåí õðÜñ÷åé áêüìá óôïí
äõíáìéêü ðßíáêá êáôáóôÜóåùí. Ôï ðáêÝôï ôåëéêÜ öôÜíåé óôïí êáíüíá
125 ìå ôïí ïðïßï êáé ôáéñéÜæåé. ÅîÝñ÷åôáé ìÝóù ôçò êÜñôáò äéêôýïõ
ðïõ óõíäÝåôáé óôï äçìüóéï Internet. Ôï ðáêÝôï Ý÷åé áêüìá ùò IP
áöåôçñßáò ôçí éäéùôéêÞ äéåýèõíóç ôïõ ôïðéêïý äéêôýïõ. Ôï ôáßñéáóìá
ìå áõôü ôïí êáíüíá ðñïêáëåß äýï åíÝñãåéåò. Ç åðéëïãÞ
<literal>keep-state</literal> èá äçìéïõñãÞóåé Ýíá íÝï äõíáìéêü
êáíüíá, èá ôïí êáôá÷ùñÞóåé óôïí ðßíáêá, êáé èá åêôåëÝóåé ôçí
áíôßóôïé÷ç åíÝñãåéá. Ç åíÝñãåéá áõôÞ åßíáé ìÝñïò ôçò ðëçñïöïñßáò
ðïõ ãñÜöåôáé óôïí äõíáìéêü ðßíáêá. Óôçí ðåñßðôùóç áõôÞ åßíáé
ç <quote>skipto rule 500</quote>. Ï êáíüíáò 500 ìåôáöñÜæåé ìÝóù
<acronym>NAT</acronym> ôç äéåýèõíóç IP ôïõ ðáêÝôïõ, ðñéí áõôü
åîÝëèåé ðñïò ôï Internet. Áõôü åßíáé éäéáßôåñá óçìáíôéêü.
Ôï ðáêÝôï êáôåõèýíåôáé ðñïò ôïí ðñïïñéóìü ôïõ, üðïõ äçìéïõñãåßôáé
êáé áðïóôÝëëåôáé Ýíá íÝï ðáêÝôï ùò áðÜíôçóç. Ôï íÝï áõôü ðáêÝôï
åéóÝñ÷åôáé îáíÜ óôï firewall, óôïí êáíüíá ðïõ åßíáé óôçí êïñõöÞ
ôçò ëßóôáò. ÁõôÞ ôç öïñÜ ôáéñéÜæåé ìå ôïí êáíüíá 100 êáé ç
äéåýèõíóç ðñïïñéóìïý ôïõ áëëÜæåé îáíÜ óôçí áñ÷éêÞ ôïõ ôïðéêïý
äéêôýïõ. ¸ðåéôá, ãßíåôáé ç åðåîåñãáóßá ôïõ áðü ôïí êáíüíá
<literal>check-state</literal> ï ïðïßïò áíáêáëýðôåé üôé ðñüêåéôáé
ãéá ðáêÝôï óõíåäñßáò óå åîÝëéîç êáé ôï áðåëåõèåñþíåé óôï ôïðéêü
äßêôõï. Êáôåõèýíåôáé ðñïò ôïí õðïëïãéóôÞ ôïõ ôïðéêïý äéêôýïõ ðïõ ôï
Ýóôåéëå, ï ïðïßïò óôÝëíåé Ýíá íÝï ðáêÝôï æçôþíôáò ðåñéóóüôåñá
äåäïìÝíá áðü ôïí áðïìáêñõóìÝíï åîõðçñåôçôÞ. Ôï ðáêÝôï áõôü
åëÝã÷åôáé áðü ôïí êáíüíá <literal>check-state</literal>, ï ïðïßïò
âñßóêåé ôçí êáôá÷þñéóç ôïõ óôá åîåñ÷üìåíá êáé åêôåëåß ôçí áíôßóôïé÷ç
åíÝñãåéá ðïõ óå áõôÞ ôçí ðåñßðôùóç åßíáé <quote>skipto 500</quote>.
Ôï ðáêÝôï ðñïùèåßôáé óôïí êáíüíá 500, ãßíåôáé ç ìåôÜöñáóç ôçò
äéåýèõíóçò ôïõ ìÝóù <acronym>NAT</acronym> êáé áðåëåõèåñþíåôáé óôï
Internet.</para>
<para>Áðü ôçí ìåñéÜ ôùí åéóåñ÷üìåíùí, üðïéï ðáêÝôï áíáãíùñßæåôáé ùò
ìÝñïò ìéáò õðÜñ÷ïõóáò óõíåäñßáò, åëÝã÷åôáé áõôüìáôá áðü ôïí êáíüíá
<literal>check-state</literal> êáé ôïõò áíôßóôïé÷ïõò êáíüíåò
<literal>divert natd</literal>. Ôï ìüíï ðïõ ÷ñåéÜæåôáé íá
áíôéìåôùðßóïõìå åßíáé ç áðüññéøç üëùí ôùí ðñïâëçìáôéêþí ðáêÝôùí êáé
ç Ýãêñéóç ìüíï ôùí ðáêÝôùí ðïõ ðñïïñßæïíôáé ãéá åãêåêñéìÝíåò
õðçñåóßåò. Áò õðïèÝóïõìå üôé Ý÷ïõìå Ýíá åîõðçñåôçôÞ apache ï ïðïßïò
åêôåëåßôáé óôï ìç÷Üíçìá ìå ôï firewall, êáé åðéèõìïýìå ôï ôïðéêü
site íá åßíáé ðñïóâÜóéìï áðü ôï äçìüóéï Internet. Ç åéóåñ÷üìåíç
áßôçóç íÝáò óõíåäñßáò ôáéñéÜæåé ìå ôïí êáíüíá 100 êáé ç IP äéåýèõíóç
ôçò áíôéóôïé÷ßæåôáé óôï ôïðéêü IP ôïõ ìç÷áíÞìáôïò ìå ôï firewall.
Ôï ðáêÝôï Ýðåéôá åëÝã÷åôáé ãéá ïðïéïäÞðïôå ðñüâëçìá ìðïñåß íá Ý÷åé
óýìöùíá ìå ôïõò êáíüíåò ðïõ ÷ñçóéìïðïéïýìå, êáé ôåëéêÜ ôáéñéÜæåé ìå
ôïí êáíüíá 425. Óôçí ðåñßðôùóç áõôÞ óõìâáßíïõí äýï ðñÜãìáôá.
Ï êáíüíáò ãéá ôï ðáêÝôï ãñÜöåôáé óôï äõíáìéêü ðßíáêá êáôáóôÜóåùí,
áëëÜ áõôÞ ôç öïñÜ ðåñéïñßæåôáé ï áñéèìüò áéôÞóåùí íÝáò óõíåäñßáò
áðü ôï óõãêåêñéìÝíï IP óå 2. Ìå áõôü ôïí ôñüðï ìðïñïýìå íá
áìõíèïýìå óå åðéèÝóåéò ôýðïõ Üñíçóçò õðçñåóßáò (DoS) üóï áöïñÜ ôç
óõãêåêñéìÝíç èýñá åðéêïéíùíßáò. Ç åíÝñãåéá ôïõ êáíüíá åßíáé ôï
<literal>allow</literal>, êáé Ýôóé ôï ðáêÝôï áðåëåõèåñþíåôáé óôï
ôïðéêü äßêôõï. Ôï ðáêÝôï ðïõ ðáñÜãåôáé ùò áðÜíôçóç, åëÝã÷åôáé áðü
ôïí êáíüíá <literal>check-state</literal>, ï ïðïßïò áíáãíùñßæåé üôé
áíÞêåé óå ìéá Þäç åíåñãÞ óõíåäñßá, êáé áðïóôÝëëåôáé óôïí êáíüíá 500
üðïõ ãßíåôáé ç ìåôÜöñáóç ôçò äéåýèõíóçò ôïõ ìÝóù
<acronym>NAT</acronym>. Ôï ðáêÝôï ôåëéêÜ áðåëåõèåñþíåôáé ìÝóù ôçò
äéåðáöÞò åîåñ÷ïìÝíùí.</para>
<para>Õðüäåéãìá Êáíüíùí #1:</para>
<programlisting>#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119"
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Authorized inbound packets
$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
######################## end of rules ##################</programlisting>
<para>Ïé ðáñáêÜôù êáíüíåò åßíáé ó÷åäüí ßäéïé ìå ôïõò ðáñáðÜíù, áëëÜ
ðåñéÝ÷ïõí ðåñéóóüôåñá ó÷üëéá ãéá íá âïçèÞóïõí ôïí áñ÷Üñéï ÷ñÞóôç
ôïõ IPFW íá êáôáëÜâåé êáëýôåñá ðùò ëåéôïõñãïýí.</para>
<para>Õðüäåéãìá Êáíüíùí #2:</para>
<programlisting>#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Check session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################</programlisting>
</sect3>
</sect2>
</sect1>
</chapter>